CVE-2024-2197

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-2197

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

T

he Chirp Access app contains a hard-coded password, BEACON_PASSWORD. An attacker within Bluetooth range could change configuration settings within the Bluetooth beacon, effectively disabling the application's ability to notify users when they are near a Beacon-enabled access point. This variable cannot be used to change the configuration settings of the door readers or locksets and does not affect the ability for authorized users of the mobile application to lock or unlock access points.

References
Link Resource
https://statement.chirpsystems.com/chirp-systems-icsa-24-067-01-response.html
https://www.cisa.gov/news-events/ics-advisories/icsa-24-067-01
https://statement.chirpsystems.com/chirp-systems-icsa-24-067-01-response.html
https://www.cisa.gov/news-events/ics-advisories/icsa-24-067-01
Configurations

No configuration.

History

21 Nov 2024, 09:09

Type Values Removed Values Added
References () https://statement.chirpsystems.com/chirp-systems-icsa-24-067-01-response.html - () https://statement.chirpsystems.com/chirp-systems-icsa-24-067-01-response.html -
References () https://www.cisa.gov/news-events/ics-advisories/icsa-24-067-01 - () https://www.cisa.gov/news-events/ics-advisories/icsa-24-067-01 -

05 Jun 2024, 23:15

Type Values Removed Values Added
CWE CWE-798 CWE-259
References
  • () https://statement.chirpsystems.com/chirp-systems-icsa-24-067-01-response.html -
CVSS v2 : unknown
v3 : 9.1 		v2 : unknown
v3 : 4.3
Summary
  • (es) La aplicación Chirp Access contiene una contraseña codificada, BEACON_PASSWORD. Un atacante dentro del alcance de Bluetooth podría cambiar los ajustes de configuración dentro de la baliza Bluetooth, deshabilitando efectivamente la capacidad de la aplicación para notificar a los usuarios cuando están cerca de un punto de acceso habilitado para Beacon. Esta variable no se puede utilizar para cambiar los ajustes de configuración de los lectores de puertas o cerraduras y no afecta la capacidad de los usuarios autorizados de la aplicación móvil para bloquear o desbloquear puntos de acceso.
Summary (en) Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access. (en) The Chirp Access app contains a hard-coded password, BEACON_PASSWORD. An attacker within Bluetooth range could change configuration settings within the Bluetooth beacon, effectively disabling the application's ability to notify users when they are near a Beacon-enabled access point. This variable cannot be used to change the configuration settings of the door readers or locksets and does not affect the ability for authorized users of the mobile application to lock or unlock access points.
Information

Published : 2024-03-20 01:15

Updated : 2024-11-21 09:09

NVD link : CVE-2024-2197

Mitre link : CVE-2024-2197

CVE.ORG link : CVE-2024-2197

JSON object : View

Products Affected

No product.

CWE
CWE-259

Use of Hard-coded Password