CVE-2019-15304

Lierda Grill Temperature Monitor V1.00_50006 has a default password of admin for the admin account, which allows an attacker to cause a Denial of Service or Information Disclosure via the undocumented access-point configuration page located on the device. This wifi thermometer app requests and requires excessive permissions to operate such as Fine GPS location, camera, applists, Serial number, IMEI. In addition to the "backdoor" login access for "admin" purposes, this accompanying app also establishes connections with several china based URLs to include Alibaba cloud computing. NOTE: this device also ships with ProGrade branding.

CVSS v3 9.1 CRITICAL
CVSS v2.0 6.4 MEDIUM

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

6.4^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:P

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://packetstormsecurity.com/files/154221/ProGrade-Lierda-Grill-Temperature-1.00_50006-Hardcoded-Credentials.html	Third Party Advisory VDB Entry
http://progradegrill.com/wifi-grilling-thermometer/	Product
http://seclists.org/fulldisclosure/2019/Aug/24	Mailing List Third Party Advisory
https://www.joesandbox.com/analysis/287596/0/html
http://packetstormsecurity.com/files/154221/ProGrade-Lierda-Grill-Temperature-1.00_50006-Hardcoded-Credentials.html	Third Party Advisory VDB Entry
http://progradegrill.com/wifi-grilling-thermometer/	Product
http://seclists.org/fulldisclosure/2019/Aug/24	Mailing List Third Party Advisory
https://www.joesandbox.com/analysis/287596/0/html

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:progradegrill:wifi_grilling_thermometer_firmware:1.00_50006:*:*:*:*:*:*:*

cpe:2.3:h:progradegrill:wifi_grilling_thermometer:-:*:*:*:*:*:*:*

History

21 Nov 2024, 04:28

Type	Values Removed	Values Added
References	~~() http://packetstormsecurity.com/files/154221/ProGrade-Lierda-Grill-Temperature-1.00_50006-Hardcoded-Credentials.html - Third Party Advisory, VDB Entry~~	() http://packetstormsecurity.com/files/154221/ProGrade-Lierda-Grill-Temperature-1.00_50006-Hardcoded-Credentials.html - Third Party Advisory, VDB Entry
References	~~() http://progradegrill.com/wifi-grilling-thermometer/ - Product~~	() http://progradegrill.com/wifi-grilling-thermometer/ - Product
References	~~() http://seclists.org/fulldisclosure/2019/Aug/24 - Mailing List, Third Party Advisory~~	() http://seclists.org/fulldisclosure/2019/Aug/24 - Mailing List, Third Party Advisory
References	~~() https://www.joesandbox.com/analysis/287596/0/html -~~	() https://www.joesandbox.com/analysis/287596/0/html -

Information

Published : 2019-08-26 13:15

Updated : 2024-11-21 04:28

NVD link : CVE-2019-15304

Mitre link : CVE-2019-15304

CVE.ORG link : CVE-2019-15304

JSON object : View

Products Affected

progradegrill

wifi_grilling_thermometer_firmware
wifi_grilling_thermometer

CWE

CWE-1188

Insecure Default Initialization of Resource

9.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

6.4 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2019-15304

9.1^/10

6.4^/10

Attach tags to `CVE-2019-15304`