CVE-2021-20989
Summary
| CVE | CVE-2021-20989 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-04-19 14:15:00 UTC |
| Updated | 2022-10-29 02:49:00 UTC |
| Description | Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be used to connect to the web management interface. Knowledge of authorization credentials to the management interface is required to perform any further actions. |
Risk And Classification
Problem Types: CWE-295
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Fibaro | Home Center 2 | - | All | All | All |
| Operating System | Fibaro | Home Center 2 Firmware | All | All | All | All |
| Hardware | Fibaro | Home Center Lite | - | All | All | All |
| Operating System | Fibaro | Home Center Lite Firmware | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Advisory: Multiple Vulnerabilities in Fibaro Home Center - IoT Inspector | CONFIRM | www.iot-inspector.com | |
| Fibaro Home Center MITM / Missing Authentication / Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Full Disclosure: [CVE-2021-20989, CVE-2021-20990, CVE-2021-20991, CVE-2021-20992] Multiple vulnerabilities in Fibaro Home Center | FULLDISC | seclists.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Marton Illes IoT Inspector Research Lab https://www.iot-inspector.com
There are currently no legacy QID mappings associated with this CVE.