Vulnerabilities > CVE-2023-37822 - Insufficient Entropy vulnerability in Eufy Homebase 2 Firmware

CVSS 8.2 - HIGH

Attack vector

ADJACENT_NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

LOW

Availability impact

NONE

low complexity

eufy

CWE-331

NVD

Published: 2024-10-03

Updated: 2024-10-29

Summary

The Eufy Homebase 2 before firmware version 3.3.4.1h creates a dedicated wireless network for its ecosystem, which serves as a proxy to the end user's primary network. The WPA2-PSK generation of this dedicated network is flawed and solely based on the serial number. Due to the flawed generation process, the WPA2-PSK can be brute forced offline within seconds. This vulnerability allows an attacker in proximity to the dedicated wireless network to gain unauthorized access to the end user's primary network. The only requirement of the attack is proximity to the dedicated wireless network.

Vulnerable Configurations

Part	Description	Count
OS	Eufy Eufy Homebase 2 Firmware *	1
Hardware	Eufy Eufy Homebase 2 -	1

Common Weakness Enumeration (CWE)

CWE-331 - Insufficient Entropy

Common Attack Pattern Enumeration and Classification (CAPEC)

Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

References