CVE-2021-20989

Name of the Vulnerable Software and Affected Versions: Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older

Description: The issue concerns Fibaro Home Center 2 and Lite devices that initiate SSH connections to the Fibaro cloud for remote access and support. This connection is vulnerable to interception via a DNS spoofing attack, allowing an attacker to use a device-initiated remote port-forward channel to connect to the web management interface. To perform further actions, knowledge of authorization credentials to the management interface is required.

Recommendations: For firmware version 4.600 and older, update to a version newer than 4.600 to resolve the issue. As a temporary workaround, consider restricting access to the web management interface until a patch is available. Avoid using the device-initiated remote port-forward channel for remote access and support until the issue is resolved.