Vulnerability-Lookup

CNVD-2019-36986

Vulnerability from cnvd - Published: 2019-10-24

Title

AutoPi.io AutoPi Wi-Fi/NB和AutoPi 4G/LTE暴力攻击漏洞

Description

AutoPi.io AutoPi Wi-Fi/NB和AutoPi 4G/LTE都是丹麦AutoPi.io公司的一款加密设备。 AutoPi.io AutoPi Wi-Fi/NB和AutoPi 4G/LTE 2019-10-15之前版本中存在安全漏洞，该漏洞源于默认的WiFi和WiFi SSID都来源于同一哈希函数的输出值。攻击者可通过实施暴力破解攻击或字典攻击利用该漏洞获取WiFi网络的访问权限。

Severity

高

Patch Name

AutoPi.io AutoPi Wi-Fi/NB和AutoPi 4G/LTE暴力攻击漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.autopi.io

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-12941

Impacted products

Name
AutoPi.io Wi-Fi/NB and 4G/LTE devices <2019-10-15

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-12941"
    }
  },
  "description": "AutoPi.io AutoPi Wi-Fi/NB\u548cAutoPi 4G/LTE\u90fd\u662f\u4e39\u9ea6AutoPi.io\u516c\u53f8\u7684\u4e00\u6b3e\u52a0\u5bc6\u8bbe\u5907\u3002\n\nAutoPi.io AutoPi Wi-Fi/NB\u548cAutoPi 4G/LTE 2019-10-15\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u9ed8\u8ba4\u7684WiFi\u548cWiFi SSID\u90fd\u6765\u6e90\u4e8e\u540c\u4e00\u54c8\u5e0c\u51fd\u6570\u7684\u8f93\u51fa\u503c\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5b9e\u65bd\u66b4\u529b\u7834\u89e3\u653b\u51fb\u6216\u5b57\u5178\u653b\u51fb\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6WiFi\u7f51\u7edc\u7684\u8bbf\u95ee\u6743\u9650\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.autopi.io",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-36986",
  "openTime": "2019-10-24",
  "patchDescription": "AutoPi.io AutoPi Wi-Fi/NB\u548cAutoPi 4G/LTE\u90fd\u662f\u4e39\u9ea6AutoPi.io\u516c\u53f8\u7684\u4e00\u6b3e\u52a0\u5bc6\u8bbe\u5907\u3002\r\n\r\nAutoPi.io AutoPi Wi-Fi/NB\u548cAutoPi 4G/LTE 2019-10-15\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u9ed8\u8ba4\u7684WiFi\u548cWiFi SSID\u90fd\u6765\u6e90\u4e8e\u540c\u4e00\u54c8\u5e0c\u51fd\u6570\u7684\u8f93\u51fa\u503c\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5b9e\u65bd\u66b4\u529b\u7834\u89e3\u653b\u51fb\u6216\u5b57\u5178\u653b\u51fb\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6WiFi\u7f51\u7edc\u7684\u8bbf\u95ee\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "AutoPi.io AutoPi Wi-Fi/NB\u548cAutoPi 4G/LTE\u66b4\u529b\u653b\u51fb\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "AutoPi.io Wi-Fi/NB and 4G/LTE devices \u003c2019-10-15"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-12941",
  "serverity": "\u9ad8",
  "submitTime": "2019-10-16",
  "title": "AutoPi.io AutoPi Wi-Fi/NB\u548cAutoPi 4G/LTE\u66b4\u529b\u653b\u51fb\u6f0f\u6d1e"
}

CVE-2019-12941 (GCVE-0-2019-12941)

Vulnerability from cvelistv5 – Published: 2019-10-14 17:02 – Updated: 2024-08-04 23:32

Summary

AutoPi Wi-Fi/NB and 4G/LTE devices before 2019-10-15 allows an attacker to perform a brute-force attack or dictionary attack to gain access to the WiFi network, which provides root access to the device. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.kth.se/nse/research/software-systems-…	x_refsource_MISC
	http://www.diva-portal.org/smash/get/diva2:133424…	x_refsource_MISC
	https://www.kth.se/polopoly_fs/1.931922.157107163…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:32:55.589Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.kth.se/nse/research/software-systems-architecture-and-security/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.diva-portal.org/smash/get/diva2:1334244/FULLTEXT01.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.kth.se/polopoly_fs/1.931922.1571071632%21/Burdzovic_Matsson_dongle_v2.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "AutoPi Wi-Fi/NB and 4G/LTE devices before 2019-10-15 allows an attacker to perform a brute-force attack or dictionary attack to gain access to the WiFi network, which provides root access to the device. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-10-14T17:02:22.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.kth.se/nse/research/software-systems-architecture-and-security/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.diva-portal.org/smash/get/diva2:1334244/FULLTEXT01.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.kth.se/polopoly_fs/1.931922.1571071632%21/Burdzovic_Matsson_dongle_v2.pdf"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-12941",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "AutoPi Wi-Fi/NB and 4G/LTE devices before 2019-10-15 allows an attacker to perform a brute-force attack or dictionary attack to gain access to the WiFi network, which provides root access to the device. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.kth.se/nse/research/software-systems-architecture-and-security/",
              "refsource": "MISC",
              "url": "https://www.kth.se/nse/research/software-systems-architecture-and-security/"
            },
            {
              "name": "http://www.diva-portal.org/smash/get/diva2:1334244/FULLTEXT01.pdf",
              "refsource": "MISC",
              "url": "http://www.diva-portal.org/smash/get/diva2:1334244/FULLTEXT01.pdf"
            },
            {
              "name": "https://www.kth.se/polopoly_fs/1.931922.1571071632!/Burdzovic_Matsson_dongle_v2.pdf",
              "refsource": "MISC",
              "url": "https://www.kth.se/polopoly_fs/1.931922.1571071632!/Burdzovic_Matsson_dongle_v2.pdf"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-12941",
    "datePublished": "2019-10-14T17:02:22.000Z",
    "dateReserved": "2019-06-24T00:00:00.000Z",
    "dateUpdated": "2024-08-04T23:32:55.589Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-36986

CVE-2019-12941 (GCVE-0-2019-12941)

Tags

Sightings

Nomenclature