[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2015-1600 - Netatmo Weather Station Cleartext Password Leak

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CVE-2015-1600 - Netatmo Weather Station Cleartext Password Leak
From: jullrich@xxxxxxxx
Date: Fri, 13 Feb 2015 19:36:05 GMT

Summary

   During initial setup, the weather station will submit its complete 
configuration unencrypted to the manufacturer cloud service. This configuration 
includes confidential information like the user's Wifi password.

   The problem has been fixed by removing this configuration dump from current 
firmware versions.

CVE: CVE-2015-1600.

Affected Systems: Netatmo Indoor Module firmware 100 and earlier.

Additional Details: 
https://isc.sans.edu/forums/diary/Did+You+Remove+That+Debug+Code+Netatmo+Weather+Station+Sending+WPA+Passphrase+in+the+Clear/19327/

Manufacturers web site: www.netatmo.com

Patch: Affected systems will download updated firmware automatically from 
Netatmo's cloud service.

Prev by Date: UNIT4 Prosoft HRMS XSS Vulnerability
Next by Date: CVE-2015-1593 - Linux ASLR integer overflow: Reducing stack entropy by four
Previous by thread: UNIT4 Prosoft HRMS XSS Vulnerability
Next by thread: CVE-2015-1593 - Linux ASLR integer overflow: Reducing stack entropy by four
Index(es):
- Date
- Thread