Vulnerabilities > CVE-2023-1385 - Unspecified vulnerability in Amazon Fire OS

CVSS 8.8 - HIGH

Attack vector

ADJACENT_NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

low complexity

amazon

NVD

Published: 2023-05-03

Updated: 2024-11-21

Summary

Improper JPAKE implementation allows offline PIN brute-forcing due to the initialization of random values to a known value, which leads to unauthorized authentication to amzn.lightning services. This issue affects: Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. Insignia TV with FireOS 7.6.3.3.

Vulnerable Configurations

Part	Description	Count
OS	Amazon Amazon Fire OS 1 Amazon Fire OS 2 Amazon Fire OS 3 Amazon Fire OS 4 Amazon Fire OS 5 Amazon Fire OS 5.3.6.3 Amazon Fire OS 5.3.6.4 Amazon Fire OS 6 Amazon Fire OS 6.2.9.5 Amazon Fire OS 7	10
Hardware	Amazon Amazon Fire TV Stick 3RD GEN -	1
Hardware	Bestbuy Bestbuy Insignia TV -	1

References

https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/
https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series/