PT-2017-13690 · Philips · Philips Hue Bridge

Published

2017-09-30

Updated

2017-11-21

CVE-2017-14797

CVSS v2.0

7.9

High

Vector

AV:A/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Philips Hue Bridge BSB002 version 1707040932

Description The issue is related to a lack of transport encryption in the public API, allowing remote attackers to read API keys by sniffing HTTP traffic on the local intranet network. This can lead to bypassing the pushlink protection mechanism and obtaining complete control of connected accessories.

Recommendations For Philips Hue Bridge BSB002 version 1707040932, consider disabling the public API until a patch is available to add transport encryption, and restrict access to the local intranet network to minimize the risk of exploitation.

Fix

Inadequate Encryption Strength

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-326

Related Identifiers

CVE-2017-14797

Affected Products

Philips Hue Bridge

PT-2017-13690 · Philips · Philips Hue Bridge

CVE-2017-14797

Weakness Enumeration

Related Identifiers

Affected Products

References · 3