CVE-2019-5039
published 2019-08-20CVE-2019-5039: An exploitable command execution vulnerability exists in the ASN1 certificate writing functionality of Openweave-core version 4.0.2. A specially crafted weave…
PriorityP181high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
1.62%
73.0th percentile
An exploitable command execution vulnerability exists in the ASN1 certificate writing functionality of Openweave-core version 4.0.2. A specially crafted weave certificate can trigger a heap-based buffer overflow, resulting in code execution. An attacker can craft a weave certificate to trigger this vulnerability.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openweave | openweave-core | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mqw2-4hpp-cmw6: An exploitable command execution vulnerability exists in the ASN1 certificate writing functionality of Openweave-core version 4
ghsa_unreviewed·2022-05-24
CVE-2019-5039 [HIGH] CWE-787 GHSA-mqw2-4hpp-cmw6: An exploitable command execution vulnerability exists in the ASN1 certificate writing functionality of Openweave-core version 4
An exploitable command execution vulnerability exists in the ASN1 certificate writing functionality of Openweave-core version 4.0.2. A specially crafted weave certificate can trigger a heap-based buffer overflow, resulting in code execution. An attacker can craft a weave certificate to trigger this vulnerability.
VulnCheck
openweave openweave-core Heap-based Buffer Overflow
vulncheck·2019·CVSS 8.8
CVE-2019-5039 [HIGH] openweave openweave-core Heap-based Buffer Overflow
openweave openweave-core Heap-based Buffer Overflow
An exploitable command execution vulnerability exists in the ASN1 certificate writing functionality of Openweave-core version 4.0.2. A specially crafted weave certificate can trigger a heap-based buffer overflow, resulting in code execution. An attacker can craft a weave certificate to trigger this vulnerability.
Affected: openweave openweave-core
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://cybersecurityworks.com/howdymanage/uploads/file/ransomware-_-2022-spotlight-report_compressed.pdf; https://info.securin.io/hubfs/Securin%20Ransomware%20Report%202023.p
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Multiple bugs in OpenWeave and Nest Labs Nest Cam IQ indoor camera
blogs_talos·2019-08-19·CVSS 5.3
[MEDIUM] Vulnerability Spotlight: Multiple bugs in OpenWeave and Nest Labs Nest Cam IQ indoor camera
Lilith Wyatt and Claudio Bozzato of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered multiple vulnerabilities in the Nest Cam IQ Indoor camera. One of Nest Labs’ most advanced internet-of-things devices, the Nest Cam IQ Indoor integrates Security-Enhanced Linux in Android, Google Assistant, and even facial recognition all into a compact security camera. It primarily uses the Weave protocol for setup and initial communications with other Nest devices over TCP, UDP, Bluetooth and 6lowpan. Most of these vulnerabilities lie in the weave binary of the camera, however, there are some that also apply to the weave-tool binary. It is important to note that while the
weave-tool binary also lives on the camera and is vulnerable, it is not normally exploitable as it requ
Talos
Vulnerability Spotlight: Multiple bugs in OpenWeave and Nest Labs Nest Cam IQ indoor camera
blogs_talos·2019-08-19·CVSS 5.3
[MEDIUM] Vulnerability Spotlight: Multiple bugs in OpenWeave and Nest Labs Nest Cam IQ indoor camera
## Vulnerability Spotlight: Multiple bugs in OpenWeave and Nest Labs Nest Cam IQ indoor camera
Lilith Wyatt and Claudio Bozzato of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered multiple vulnerabilities in the Nest Cam IQ Indoor camera. One of Nest Labs’ most advanced internet-of-things devices, the Nest Cam IQ Indoor integrates Security-Enhanced Linux in Android, Google Assistant, and even facial recognition all into a compact security camera. It primarily uses the Weave protocol for setup and initial communications with other Nest devices over TCP, UDP, Bluetooth and 6lowpan. Most of these vulnerabilities lie in the weave binary of the camera, however, there are some that also apply to the weave-tool binary. It is important to note that while the
weave-t
2019-08-20
Published
Exploited in the wild