CVE-2020-9060

Name of the Vulnerable Software and Affected Versions ZooZ ZST10 version 6.04 ZooZ ZEN20 version 5.03 ZooZ ZEN25 version 5.03 Aeon Labs ZW090-A version 3.95 Fibaro FGWPB-111 version 4.3

Description Z-Wave devices based on Silicon Labs 500 series chipsets using S2 are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages.

Recommendations For ZooZ ZST10 version 6.04, consider disabling the SECURITY NONCE GET and SECURITY NONCE GET 2 functions until a patch is available. For ZooZ ZEN20 version 5.03, restrict access to the NO OPERATION message to minimize the risk of exploitation. For ZooZ ZEN25 version 5.03, avoid using the NIF REQUEST message in the affected API endpoint until the issue is resolved. For Aeon Labs ZW090-A version 3.95, restrict access to the vulnerable module to minimize the risk of exploitation. For Fibaro FGWPB-111 version 4.3, consider disabling the vulnerable function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.