9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.004 Low
EPSS
Percentile
75.1%
All firmware versions of Qolsys IQ Panel contain hard-coded cryptographic keys, do not validate signatures during software updates, and use a vulnerable version of Android OS.
Qolsys IQ Panel is an Android OS-based touch screen controller for home automation devices and functions. All firmware versions contain the following vulnerabilities.
CWE-321: Use of Hard-coded Cryptographic Key - CVE-2015-6032
Qolsys IQ Panel contains multiple hard-coded cryptographic keys. With these keys it may be possible for attackers to sign malicious code that would then be accepted as valid by affected devices.
CWE-347: Improper Verification of Cryptographic Signature - CVE-2015-6033
Qolsys IP Panel fails to properly validate cryptographic signatures for software updates before installing them. Malicious updates provided by an attacker may be accepted as valid by affected devices.
CWE-937: OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
Qolsys IP Panel uses an outdated version of Android OS with known vulnerabilities. An attacker may be able to leverage vulnerabilities affecting Android 2.2.1 to compromise affected devices.
The CVSS score below is for CVE-2015-6033.
A remote, unauthenticated attacker may be able to inject malicious firmware or software updates that will be accepted as valid by affected devices. It may be possible to leverage known vulnerabilities affecting Android OS 2.2.1 compromise affected devices.
The CERT/CC is currently unaware of a practical solution to this problem. The vendor has indicated that they will release QOL 1.5.1 to address these issues in November 2015, but until then, users should consider the following workaround.
Restrict access
As a general good security practice, only allow connections from trusted hosts and networks. Since the nature of these vulnerabilities means that malicious updates can be made to appear valid, users should consider disabling automatic updates altogether. Users should confirm the source of any update before applying it manually.
573848
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: June 23, 2015 Updated: October 29, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
All firmware versions of Qolsys IQ Panel are affected.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23573848 Feedback>).
Group | Score | Vector |
---|---|---|
Base | 7.6 | AV:N/AC:H/Au:N/C:C/I:C/A:C |
Temporal | 6.8 | E:POC/RL:U/RC:C |
Environmental | 5.1 | CDP:N/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Roman Faynberg from Carve Systems for reporting this vulnerability.
This document was written by Joel Land.
CVE IDs: | CVE-2015-6032, CVE-2015-6033 |
---|---|
Date Public: | 2015-10-29 Date First Published: |