Vulnerability Description
ShowMojo MojoBox Digital Lockbox 1.4 is vulnerable to Authentication Bypass. The implementation of the lock opening mechanism via Bluetooth Low Energy (BLE) is vulnerable to replay attacks. A malicious user is able to intercept BLE requests and replicate them to open the lock at any time. Alternatively, an attacker with physical access to the device on which the Android app is installed, can obtain the latest BLE messages via the app logs and use them for opening the lock.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Showmojo | Mojobox Firmware | 1.4 |
| Showmojo | Mojobox | - |
Related Weaknesses (CWE)
References
- https://mandomat.github.io/2023-03-15-testing-mojobox-security/ExploitTechnical DescriptionThird Party Advisory
- https://packetstormsecurity.com/2307-exploits/mojobox14-replay.txtThird Party AdvisoryVDB Entry
- https://www.whid.ninja/blog/mojobox-yet-another-not-so-smartlockExploitTechnical DescriptionThird Party Advisory
- https://mandomat.github.io/2023-03-15-testing-mojobox-security/ExploitTechnical DescriptionThird Party Advisory
- https://packetstormsecurity.com/2307-exploits/mojobox14-replay.txtThird Party AdvisoryVDB Entry
- https://www.whid.ninja/blog/mojobox-yet-another-not-so-smartlockExploitTechnical DescriptionThird Party Advisory
FAQ
What is CVE-2023-34625?
CVE-2023-34625 is a vulnerability with a CVSS score of 8.1 (HIGH). ShowMojo MojoBox Digital Lockbox 1.4 is vulnerable to Authentication Bypass. The implementation of the lock opening mechanism via Bluetooth Low Energy (BLE) is vulnerable to replay attacks. A maliciou...
How severe is CVE-2023-34625?
CVE-2023-34625 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-34625?
Check the references section above for vendor advisories and patch information. Affected products include: Showmojo Mojobox Firmware, Showmojo Mojobox.