|CVSS SCORE||7.5, (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)|
This vulnerability allows remote attackers to issue commands on vulnerable installations of Juuko equipment. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of communication between the transmitter and receiver. By using a fixed control code that is used to encode data sent over RF, an attacker can forge unauthorized commands to the receiver. An attacker can leverage this vulnerability to issue commands to the physical equipment controlled by the device.
This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.
07/19/18 - ZDI reported vulnerability to ICS-CERT
|CREDIT||Federico Maggi, Marco Balduzzi, Stephen Hilt, Philippe Lin, Akira Urano, Rainer Vosseler of Trend Micro Security Research