CVE-2024-44097 — Improper Privilege Management in Google Nest CAM Firmware

CWE-269 — Improper Privilege Management2 documents2 sources

Severity

9.8CRITICALNVD

EPSS

0.1%

top 77.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Nest CAM Firmware Google Nest CAM With Floodlight Firmware Google Nest Doorbell Firmware +1 more

Timeline

PublishedOct 2

Description

According to the researcher: "The TLS connections are encrypted against tampering or eavesdropping. However, the application does not validate the server certificate properly while initializing the TLS connection. This allows for a network attacker to intercept the connection and read the data. The attacker could the either send the client a malicious response, or forward the (possibly modified) data to the real server."

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDgoogle/nest_cam_firmware< 1.73c

▶NVDgoogle/nest_doorbell_firmware< 1.73c

▶NVDgoogle/nest_cam_with_floodlight_firmware< 1.73c

▶CVEListV5google/androidunknown

🔴Vulnerability Details

GHSA

GHSA-hxrw-p6mf-w8qx: According to the researcher: "The TLS connections are encrypted against tampering or eavesdropping↗2024-10-02

▶