[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE-2015-1600 - Netatmo Weather Station Cleartext Password Leak
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: CVE-2015-1600 - Netatmo Weather Station Cleartext Password Leak
- From: jullrich@xxxxxxxx
- Date: Fri, 13 Feb 2015 19:36:05 GMT
Summary
During initial setup, the weather station will submit its complete
configuration unencrypted to the manufacturer cloud service. This configuration
includes confidential information like the user's Wifi password.
The problem has been fixed by removing this configuration dump from current
firmware versions.
CVE: CVE-2015-1600.
Affected Systems: Netatmo Indoor Module firmware 100 and earlier.
Additional Details:
https://isc.sans.edu/forums/diary/Did+You+Remove+That+Debug+Code+Netatmo+Weather+Station+Sending+WPA+Passphrase+in+the+Clear/19327/
Manufacturers web site: www.netatmo.com
Patch: Affected systems will download updated firmware automatically from
Netatmo's cloud service.