PT-2018-13044 · Mystrom · Mystrom Wifi Button Plus+6
Published
2018-08-30
·
Updated
2018-11-09
·
CVE-2018-15479
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
myStrom WiFi Switch V1 versions prior to 2.66
myStrom WiFi Switch V2 versions prior to 3.80
myStrom WiFi Switch EU versions prior to 3.80
myStrom WiFi Bulb versions prior to 2.58
myStrom WiFi LED Strip versions prior to 3.80
myStrom WiFi Button versions prior to 2.73
myStrom WiFi Button Plus versions prior to 2.73
Description
An issue was discovered where devices did not authenticate themselves to the cloud in device to cloud communication. This lack of device authentication allowed an attacker to impersonate any device by guessing or learning their MAC address.
Recommendations
For myStrom WiFi Switch V1 versions prior to 2.66, update to version 2.66 or later.
For myStrom WiFi Switch V2 versions prior to 3.80, update to version 3.80 or later.
For myStrom WiFi Switch EU versions prior to 3.80, update to version 3.80 or later.
For myStrom WiFi Bulb versions prior to 2.58, update to version 2.58 or later.
For myStrom WiFi LED Strip versions prior to 3.80, update to version 3.80 or later.
For myStrom WiFi Button versions prior to 2.73, update to version 2.73 or later.
For myStrom WiFi Button Plus versions prior to 2.73, update to version 2.73 or later.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mystrom Wifi Bulb
Mystrom Wifi Button
Mystrom Wifi Button Plus
Mystrom Wifi Led Strip
Mystrom Wifi Switch Eu
Mystrom Wifi Switch V1
Mystrom Wifi Switch V2