{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/142629#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nVarious Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications.\r\n\r\n### Description\r\nZ-Wave devices based on Silicon Labs chipsets have multiple vulnerabilities. For further details, including specific devices tested, see [Riding the IoT Wave With VFuzz: Discovering Security Flaws in Smart Homes](https://ieeexplore.ieee.org/document/9663293).\r\n\r\n**CVE-2020-9057**  \r\nZ-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption.\r\n\r\n**CVE-2020-9058**  \r\nZ-Wave devices based on Silicon Labs 500 series chipsets using CRC-16 encapsulation do not implement encryption or replay protection.\r\n\r\n**CVE-2020-9059**  \r\nZ-Wave devices based on Silicon Labs 500 series chipsets using S0 authentication are susceptible to uncontrolled resource consumption which can lead to battery exhaustion.\r\n\r\n**CVE-2020-9060**  \r\nZ-Wave devices based on Silicon Labs 500 series chipsets using S2 are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages.\r\n \r\n**CVE-2020-9061**  \r\nZ-Wave devices based on Silicon Labs 500 and 700 series chipsets are susceptible to denial of service via malformed routing messages.\r\n\r\n**CVE-2020-10137**  \r\nZ-Wave devices based on Silicon Labs 700 series chipsets using S2 do not adequately authenticate or encrypt FIND_NODE_IN_RANGE frames.\r\n\r\n### Impact\r\nDepending on the chipset and device, an attacker within Z-Wave radio range can deny service, cause devices to crash, deplete batteries, intercept, observe, and replay traffic, and control vulnerable devices.\r\n\r\n### Solution\r\nMitigations for these vulnerabilities vary based on the chipset and device. In some cases it may be necessary to upgrade to newer hardware, for example, 500 and 700 series chipsets that support S2 authentication and encryption.\r\n\r\n### Acknowledgements\r\nThanks to Carlos Kayembe Nkuba, Seulbae Kim, Sven Dietrich, and Heejo Lee for researching and reporting these vulnerabilities.\r\n\r\nThis document was written by Timur Snoke and Art Manion.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Jasco"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Jasco notes"},{"category":"other","text":"Silicon Labs is grateful for the work of CERT.org and the security research community.  Any researchers or other parties who discover vulnerabilities in our products are encouraged to notify our Product Security Incident Response Team at https://silabs.com/security/product-security\r\n\r\nThe vulnerabilities associated with this case represent known weaknesses with various combinations of unencrypted traffic, S0 and S2 security.  We have additional guidance documentation in the Case References area.  Any product developers who need additional guidance or recommendations are encouraged to contact us at https://silabs.com/support.","title":"Vendor statment from Silicon Labs"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Silicon Labs notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/142629"},{"url":"https://ieeexplore.ieee.org/document/9663293","summary":"https://ieeexplore.ieee.org/document/9663293"},{"url":"https://doi.org/10.1109/ACCESS.2021.3138768","summary":"https://doi.org/10.1109/ACCESS.2021.3138768"},{"url":"https://github.com/CNK2100/VFuzz-public","summary":"https://github.com/CNK2100/VFuzz-public"},{"url":"https://products.z-wavealliance.org/products/2559","summary":"https://products.z-wavealliance.org/products/2559"},{"url":"https://z-wavealliance.org/z-wave-oems-developers/","summary":"https://z-wavealliance.org/z-wave-oems-developers/"},{"url":"https://www.silabs.com/documents/login/white-papers/INS13474-Z-Wave-Security-Whitepaper.pdf","summary":"Reference(s) from vendor \"Silicon Labs\""},{"url":"https://www.silabs.com/documents/login/presentations/PMP13827-2.pdf","summary":"Reference(s) from vendor \"Silicon Labs\""}],"title":"Silicon Labs Z-Wave chipsets contain multiple vulnerabilities","tracking":{"current_release_date":"2022-01-09T04:10:25+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#142629","initial_release_date":"2022-01-07 21:54:33.833171+00:00","revision_history":[{"date":"2022-01-09T04:10:25+00:00","number":"1.20220109041025.5","summary":"Released on 2022-01-09T04:10:25+00:00"}],"status":"final","version":"1.20220109041025.5"}},"vulnerabilities":[{"title":"Z-Wave devices based on Silicon Labs 700 series chipsets using S2 do not adequately authenticate or encrypt FIND_NODE_IN_RANGE frames, allowing a remote, unauthenticated attacker to inject a FIND_NODE_IN_RANGE frame with an invalid random payload, denying service by blocking the processing of upcoming events.","notes":[{"category":"summary","text":"Z-Wave devices based on Silicon Labs 700 series chipsets using S2 do not adequately authenticate or encrypt FIND_NODE_IN_RANGE frames, allowing a remote, unauthenticated attacker to inject a FIND_NODE_IN_RANGE frame with an invalid random payload, denying service by blocking the processing of upcoming events."}],"cve":"CVE-2020-10137","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#142629"}]},{"title":"Unauthenticated Z-Wave devices with SoC 500 Series allows physically proximate attackers to replay, impersonate, and inject frames that control the target device due to missing encryption.","notes":[{"category":"summary","text":"Unauthenticated Z-Wave devices with SoC 500 Series allows physically proximate attackers to replay, impersonate, and inject frames that control the target device due to missing encryption."}],"cve":"CVE-2020-9058","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#142629"}],"references":[{"url":"https://www.silabs.com/documents/login/white-papers/INS13474-Z-Wave-Security-Whitepaper.pdf","summary":"This is a known weakness with unencrypted traffic.  S0 and S2 can encrypt application data.","category":"external"},{"url":"https://www.silabs.com/documents/login/presentations/PMP13827-2.pdf","summary":"This is a known weakness with unencrypted traffic.  S0 and S2 can encrypt application data.","category":"external"}],"product_status":{"known_affected":["CSAFPID-8fad199c-39e5-11f1-8422-122e2785dc9f"]}},{"title":"Z-Wave S0 Authenticated devices with SoC 500 series allows physically proximate attackers to inject infinite SECURITY_NONCE_GET that lead to battery exhaustion causing Denial of Service (DoS) on battery-powered devices due to uncontrolled resource consumption.","notes":[{"category":"summary","text":"Z-Wave S0 Authenticated devices with SoC 500 series allows physically proximate attackers to inject infinite SECURITY_NONCE_GET that lead to battery exhaustion causing Denial of Service (DoS) on battery-powered devices due to uncontrolled resource consumption."}],"cve":"CVE-2020-9059","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#142629"}],"references":[{"url":"https://www.silabs.com/documents/login/white-papers/INS13474-Z-Wave-Security-Whitepaper.pdf","summary":"This is a known weakness with S0 security.","category":"external"},{"url":"https://www.silabs.com/documents/login/presentations/PMP13827-2.pdf","summary":"This is a known weakness with S0 security.","category":"external"}],"product_status":{"known_affected":["CSAFPID-8fadb1fe-39e5-11f1-8422-122e2785dc9f"]}},{"title":"Z-Wave controllers with SoC 500 series (S0 and S2) allows physically proximate attackers to inject an invalid device Node Information (NIF) frame that modifies the controller stored NIF causing Denial of Service (DoS) on the target Z-Wave S0 authenticated device due to improper authorization.","notes":[{"category":"summary","text":"Z-Wave controllers with SoC 500 series (S0 and S2) allows physically proximate attackers to inject an invalid device Node Information (NIF) frame that modifies the controller stored NIF causing Denial of Service (DoS) on the target Z-Wave S0 authenticated device due to improper authorization."}],"cve":"CVE-2020-9061","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#142629"}],"references":[{"url":"https://www.silabs.com/documents/login/white-papers/INS13474-Z-Wave-Security-Whitepaper.pdf","summary":"This is a known weakness with S0 and S2 security.","category":"external"},{"url":"https://www.silabs.com/documents/login/presentations/PMP13827-2.pdf","summary":"This is a known weakness with S0 and S2 security.","category":"external"}],"product_status":{"known_affected":["CSAFPID-8faebec8-39e5-11f1-8422-122e2785dc9f"]}},{"title":"Z-Wave devices with system on chip (SoC) 100, 200, and 300 Series allows physically proximate attackers to replay, impersonate, and inject frames to the Z-Wave network due to missing encryption.","notes":[{"category":"summary","text":"Z-Wave devices with system on chip (SoC) 100, 200, and 300 Series allows physically proximate attackers to replay, impersonate, and inject frames to the Z-Wave network due to missing encryption."}],"cve":"CVE-2020-9057","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#142629"}],"references":[{"url":"https://www.silabs.com/documents/login/white-papers/INS13474-Z-Wave-Security-Whitepaper.pdf","summary":"This is a known weakness with unencrypted traffic. S0 and S2 security can encrypt application data.","category":"external"},{"url":"https://www.silabs.com/documents/login/presentations/PMP13827-2.pdf","summary":"This is a known weakness with unencrypted traffic. S0 and S2 security can encrypt application data.","category":"external"}],"product_status":{"known_affected":["CSAFPID-8faf7f2a-39e5-11f1-8422-122e2785dc9f"]}},{"title":"Z-Wave S2 devices with SoC 500 series allows physically proximate attackers to inject infinite SECURITY_2_NONCE_GET that leads to a partial Denial of Service (DoS) due to high CPU/MCU consumption.","notes":[{"category":"summary","text":"Z-Wave S2 devices with SoC 500 series allows physically proximate attackers to inject infinite SECURITY_2_NONCE_GET that leads to a partial Denial of Service (DoS) due to high CPU/MCU consumption."}],"cve":"CVE-2020-9060","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#142629"}],"references":[{"url":"https://www.silabs.com/documents/login/white-papers/INS13474-Z-Wave-Security-Whitepaper.pdf","summary":"This is a known weakness with S2 security.","category":"external"},{"url":"https://www.silabs.com/documents/login/presentations/PMP13827-2.pdf","summary":"This is a known weakness with S2 security.","category":"external"}],"product_status":{"known_affected":["CSAFPID-8fb04842-39e5-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Jasco","product":{"name":"Jasco Products","product_id":"CSAFPID-8face3fa-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Silicon Labs","product":{"name":"Silicon Labs Products","product_id":"CSAFPID-8fad199c-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Silicon Labs","product":{"name":"Silicon Labs Products","product_id":"CSAFPID-8fadb1fe-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Jasco","product":{"name":"Jasco Products","product_id":"CSAFPID-8fae0820-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Jasco","product":{"name":"Jasco Products","product_id":"CSAFPID-8fae8a84-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Silicon Labs","product":{"name":"Silicon Labs Products","product_id":"CSAFPID-8faebec8-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Jasco","product":{"name":"Jasco Products","product_id":"CSAFPID-8faf3e84-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Silicon Labs","product":{"name":"Silicon Labs Products","product_id":"CSAFPID-8faf7f2a-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Jasco","product":{"name":"Jasco Products","product_id":"CSAFPID-8faffa5e-39e5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Silicon Labs","product":{"name":"Silicon Labs Products","product_id":"CSAFPID-8fb04842-39e5-11f1-8422-122e2785dc9f"}}]}}