Vulnerability Description
A door-unlocking issue was discovered on Software House iStar Ultra devices through 6.5.2.20569 when used in conjunction with the IP-ACM Ethernet Door Module. The communications between the IP-ACM and the iStar Ultra is encrypted using a fixed AES key and IV. Each message is encrypted in CBC mode and restarts with the fixed IV, leading to replay attacks of entire messages. There is no authentication of messages beyond the use of the fixed AES key, so message forgery is also possible.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Swhouse | Istar Ultra Firmware | <= 6.5.2.20569 |
| Swhouse | Istar Ultra | - |
Related Weaknesses (CWE)
References
- https://systemoverlord.com/2017/12/18/cve-2017-17704-broken-cryptography-in-istaThird Party Advisory
- https://systemoverlord.com/2017/12/18/cve-2017-17704-broken-cryptography-in-istaThird Party Advisory
FAQ
What is CVE-2017-17704?
CVE-2017-17704 is a vulnerability with a CVSS score of 7.4 (HIGH). A door-unlocking issue was discovered on Software House iStar Ultra devices through 6.5.2.20569 when used in conjunction with the IP-ACM Ethernet Door Module. The communications between the IP-ACM and...
How severe is CVE-2017-17704?
CVE-2017-17704 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-17704?
Check the references section above for vendor advisories and patch information. Affected products include: Swhouse Istar Ultra Firmware, Swhouse Istar Ultra.