CVE-2023-7004 : The TTLock App does not employ proper verification procedures to ensure that it

The TTLock App does not employ proper verification procedures to ensure that it is communicating with the expected device, allowing for connection to a device that spoofs the MAC address of a lock, which compromises the legitimate locks integrity.

Published 2024-03-15 17:15:08

Updated 2024-08-26 16:35:03

Source CERT/CC

View at NVD, CVE.org

Products affected by CVE-2023-7004

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2023-7004

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 12 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-7004

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.5	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	2.8	3.6	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-08-26
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2023-7004

CWE-940 Improper Verification of Source of a Communication Channel

The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

References for CVE-2023-7004

https://alephsecurity.com/2024/03/07/kontrol-lux-lock-2/

Say Friend and Enter: Digitally lockpicking an advanced smart lock (Part 2: discovered vulnerabilities)

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-7004

Products affected by CVE-2023-7004

Exploit prediction scoring system (EPSS) score for CVE-2023-7004

CVSS scores for CVE-2023-7004

CWE ids for CVE-2023-7004

References for CVE-2023-7004