CVE-2021-20989 MEDIUM

CVE-2021-20989: Fibaro Home Center Insufficient remote access server authorization

Vendor Fibar Group S.a

Product Fibaro Home Center

Weakness CWE-295

Published April 19, 2021

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be used to connect to the web management interface. Knowledge of authorization credentials to the management interface is required to perform any further actions.

Key dates

02Disclosure timeline

April 19, 2021 CVE published

September 17, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-20989 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/295.html

Related vulnerabilities

Identifiers

CVE CVE-2021-20989

CWE CWE-295

CVSS 5.9 / MEDIUM

Affected versions

Vendor Fibar Group S.a

Product Fibaro Home Center

Affected ≥ Home Center 2 and ≤ 4.600

Vendor Fibar Group S.a

Product Fibaro Home Center

Affected ≥ Home Center Lite and ≤ 4.600

CVE-2021-20989: Fibaro Home Center Insufficient remote access server authorization

01Description

02Disclosure timeline

03References

04Related CVE