CVE-2019-13143 — CRITICAL (9.8)

Vulnerability Description

An HTTP parameter pollution issue was discovered on Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 2.3. With the user ID, user name, and the lock's MAC address, anyone can unbind the existing owner of the lock, and bind themselves instead. This leads to complete takeover of the lock. The user ID, name, and MAC address are trivially obtained from APIs found within the Android or iOS application. With only the MAC address of the lock, any attacker can transfer ownership of the lock from the current user, over to the attacker's account. Thus rendering the lock completely inaccessible to the current user.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Shenzhen Dragon Brothers	Fb50 Firmware	2.3
Shenzhen Dragon Brothers	Fb50	-

Related Weaknesses (CWE)

CWE-20

References

http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure/ExploitThird Party Advisory
http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure/ExploitThird Party Advisory

FAQ

What is CVE-2019-13143?

CVE-2019-13143 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An HTTP parameter pollution issue was discovered on Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 2.3. With the user ID, user name, and the lock's MAC address, anyone can unbind th...

How severe is CVE-2019-13143?

CVE-2019-13143 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-13143?

Check the references section above for vendor advisories and patch information. Affected products include: Shenzhen Dragon Brothers Fb50 Firmware, Shenzhen Dragon Brothers Fb50.