CVE-2019-5635

A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/	Third Party Advisory
https://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086	Product
https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/	Third Party Advisory
https://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:belwith-keeler:hickory_smart_ethernet_bridge_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:belwith-keeler:hickory_smart_ethernet_bridge:-:*:*:*:*:*:*:*

History

21 Nov 2024, 04:45

Type	Values Removed	Values Added
References	~~() https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/ - Third Party Advisory~~	() https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/ - Third Party Advisory
References	~~() https://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086 - Product~~	() https://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086 - Product

Information

Published : 2019-08-22 14:15

Updated : 2024-11-21 04:45

NVD link : CVE-2019-5635

Mitre link : CVE-2019-5635

CVE.ORG link : CVE-2019-5635

JSON object : View

Products Affected

belwith-keeler

hickory_smart_ethernet_bridge_firmware
hickory_smart_ethernet_bridge

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2019-5635", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "cve@rapid7.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.0}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-08-22T14:15:13.680", "references": [{"url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/", "tags": ["Third Party Advisory"], "source": "cve@rapid7.com"}, {"url": "https://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086", "tags": ["Product"], "source": "cve@rapid7.com"}, {"url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://hickoryhardware.com/products/hickory-smart-ethernet-bridge?variant=20882150228086", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve@rapid7.com", "description": [{"lang": "en", "value": "CWE-319"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information."}, {"lang": "es", "value": "Una vulnerabilidad de transmisi\u00f3n de informaci\u00f3n confidencial en texto sin cifrar est\u00e1 presente en Hickory Smart Ethernet Bridge de Belwith Products, LLC. Los datos capturados revelan que el dispositivo Hickory Smart Ethernet Bridge se comunica por medio de la red con un broker MQTT sin usar cifrado. Esto expuso el nombre de usuario y la contrase\u00f1a predeterminados usados para autenticarse en el broker MQTT. Este problema afecta a Hickory Smart Ethernet Bridge, n\u00famero de modelo H077646. El firmware no parece contener informaci\u00f3n del versionado."}], "lastModified": "2024-11-21T04:45:16.780", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:belwith-keeler:hickory_smart_ethernet_bridge_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A3193A0-A0C9-4593-B00D-7077400C4E69"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:belwith-keeler:hickory_smart_ethernet_bridge:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5E9C47D2-E9CD-482D-B2B4-C42388936A75"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@rapid7.com"}

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2019-5635

7.5^/10

5.0^/10

Attach tags to `CVE-2019-5635`