Vulnerabilities > CVE-2021-3791 - Information Exposure Through Log Files vulnerability in Binatoneglobal products

CVSS 3.3 - LOW

Attack vector

ADJACENT_NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

low complexity

binatoneglobal

CWE-532

NVD

Published: 2021-11-12

Updated: 2021-11-16

Summary

An information disclosure vulnerability was reported in some Motorola-branded Binatone Hubble Cameras that could allow an unauthenticated attacker on the same subnet to download an encrypted log file containing sensitive information such as WiFi SSID and password.

Vulnerable Configurations

Part	Description	Count
OS	Binatoneglobal Binatoneglobal Halo+ Camera Firmware * Binatoneglobal Comfort 85 Connect Firmware * Binatoneglobal Mbp3855 Firmware * Binatoneglobal Focus 68 Firmware - Binatoneglobal Focus 72R Firmware * Binatoneglobal Cn28 Firmware - Binatoneglobal Cn50 Firmware - Binatoneglobal Comfort 40 Firmware - Binatoneglobal Comfort 50 Connect Firmware - Binatoneglobal Mbp4855 Firmware - Binatoneglobal Mbp3667 Firmware - Binatoneglobal Mbp669 Connect Firmware - Binatoneglobal LUX 64 Firmware - Binatoneglobal LUX 65 Firmware - Binatoneglobal Connect View 65 Firmware - Binatoneglobal LUX 85 Connect Firmware - Binatoneglobal Ease44 Firmware - Binatoneglobal Connect 20 Firmware - Binatoneglobal Mbp6855 Firmware - Binatoneglobal Cn40 Firmware - Binatoneglobal Cn75 Firmware -	21
Hardware	Binatoneglobal Binatoneglobal Halo+ Camera - Binatoneglobal Comfort 85 Connect - Binatoneglobal Mbp3855 - Binatoneglobal Focus 68 V100 Binatoneglobal Focus 68 V200 Binatoneglobal Focus 72R V100 Binatoneglobal Focus 72R V200 Binatoneglobal Cn28 - Binatoneglobal Cn50 - Binatoneglobal Comfort 40 - Binatoneglobal Comfort 50 Connect - Binatoneglobal Mbp4855 - Binatoneglobal Mbp3667 - Binatoneglobal Mbp669 Connect - Binatoneglobal LUX 64 - Binatoneglobal LUX 65 - Binatoneglobal Connect View 65 - Binatoneglobal LUX 85 Connect - Binatoneglobal Ease44 - Binatoneglobal Connect 20 - Binatoneglobal Mbp6855 - Binatoneglobal Cn40 - Binatoneglobal Cn75 -	23

Common Weakness Enumeration (CWE)

CWE-532 - Information Exposure Through Log Files

Common Attack Pattern Enumeration and Classification (CAPEC)

Fuzzing and observing application log data/errors for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.

References

https://binatoneglobal.com/security-advisory/