PT-2022-7195 · Ultraloq · Ultraloq Ul3 2Nd Gen Smart Lock

Alexios Mylonas

Published

2022-05-12

Updated

2024-01-16

CVE-2022-46480

CVSS v3.1

8.1

High

Vector

AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Ultraloq UL3 2nd Gen Smart Lock Firmware version 02.27.0012

Description The issue is related to incorrect session management and credential re-use in the Bluetooth LE stack, allowing an attacker to sniff the unlock code and unlock the device while within Bluetooth range. This can lead to the disclosure of protected information.

Recommendations For Ultraloq UL3 2nd Gen Smart Lock Firmware version 02.27.0012, consider disabling the Bluetooth LE functionality until a patch is available to prevent exploitation. Restrict access to the device when not in use to minimize the risk of unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-294CWE-384

Related Identifiers

BDU:2023-09009

CVE-2022-46480

Affected Products

Ultraloq Ul3 2Nd Gen Smart Lock

PT-2022-7195 · Ultraloq · Ultraloq Ul3 2Nd Gen Smart Lock

CVE-2022-46480

Weakness Enumeration

Related Identifiers

Affected Products

References · 10