CVE-2019-9860

Due to unencrypted signal communication and predictability of rolling codes, an attacker can "desynchronize" an ABUS Secvest wireless remote control (FUBE50014 or FUBE50015) relative to its controlled Secvest wireless alarm system FUAA50000 3.01.01, so that sent commands by the remote control are not accepted anymore.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-036.txt	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:abus:secvest_wireless_alarm_system_fuaa50000_firmware:3.01.01:*:*:*:*:*:*:*

cpe:2.3:h:abus:secvest_wireless_alarm_system_fuaa50000:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:abus:secvest_wireless_remote_control_fube50014_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:abus:secvest_wireless_remote_control_fube50014:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:abus:secvest_wireless_remote_control_fube50015_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:abus:secvest_wireless_remote_control_fube50015:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-03-27 15:29

Updated : 2023-12-10 12:59

NVD link : CVE-2019-9860

Mitre link : CVE-2019-9860

CVE.ORG link : CVE-2019-9860

JSON object : View

Products Affected

abus

secvest_wireless_alarm_system_fuaa50000_firmware
secvest_wireless_remote_control_fube50014
secvest_wireless_remote_control_fube50015
secvest_wireless_alarm_system_fuaa50000
secvest_wireless_remote_control_fube50015_firmware
secvest_wireless_remote_control_fube50014_firmware

CWE

CWE-319

Cleartext Transmission of Sensitive Information

CWE-330

Use of Insufficiently Random Values

{"id": "CVE-2019-9860", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-03-27T15:29:01.127", "references": [{"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-036.txt", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}, {"lang": "en", "value": "CWE-330"}]}], "descriptions": [{"lang": "en", "value": "Due to unencrypted signal communication and predictability of rolling codes, an attacker can \"desynchronize\" an ABUS Secvest wireless remote control (FUBE50014 or FUBE50015) relative to its controlled Secvest wireless alarm system FUAA50000 3.01.01, so that sent commands by the remote control are not accepted anymore."}, {"lang": "es", "value": "Debido a la comunicaci\u00f3n de se\u00f1ales no cifrada y a la predecibilidad de los c\u00f3digos evolutivos, un atacante puede \"desincronizar\" un control remoto inal\u00e1mbrico de ABUS Secvest (FUBE50014 o FUBE50015), relacionado con su sistema de alarma inal\u00e1mbrica Secvest controlada FUAA50000 3.01.01, por lo que los comandos enviados por el control remoto ya no se aceptan."}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:abus:secvest_wireless_alarm_system_fuaa50000_firmware:3.01.01:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C5A31E7-5281-4EDC-9CC5-A887857BB6B7"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:abus:secvest_wireless_alarm_system_fuaa50000:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "CD534B70-3FA6-4712-A30E-A9BEEB9A91CB"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:abus:secvest_wireless_remote_control_fube50014_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36446080-FC7A-40C4-B3FA-E431B7208B54"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:abus:secvest_wireless_remote_control_fube50014:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FE991250-A833-4D6D-9CAE-8802C81917E5"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:abus:secvest_wireless_remote_control_fube50015_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9837869E-A954-4E05-B8FA-FF4D41B45E0E"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:abus:secvest_wireless_remote_control_fube50015:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FF0E3110-7E9E-4FE2-9611-78B4D9819927"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}