Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-24611 PoC — Silicon Labs Z-Wave 500 系列输入验证错误漏洞

Source
https://github.com/ITSecLab-HSEL/CVE-2022-24611
Associated Vulnerability
Title:Silicon Labs Z-Wave 500 系列输入验证错误漏洞 (CVE-2022-24611)
Description:Silicon Labs Z-Wave Chipsets是美国Silicon Labs公司的一种智能家居生态系统中的芯片组。 Silicon Labs Z-Wave 500系列存在安全漏洞,该漏洞源于Z-Wave S0 NonceGet协议规范中存在拒绝服务(DoS),攻击者利用该漏洞可通过精心设计的S0 NonceGet Z-Wave包阻止S0/S2保护Z-Wave网络。
Description
Details regarding the Z-Wave S0-No-More attack
Readme
# CVE-2022-24611
Details regarding the Z-Wave S0-No-More attack. For a full analysis and report how this works and how to reproduce the findings see the attached PDF file. 


## Short description: 

Denial of Service attack against S0 and S2 devices (tested with the Z-
Wave ZW5xx product line), here specifically Z-Wave enabled Ama-
zon Ring Gen. 1 devices. An attacker can use the S0 NonceGet
request to continuously send a minimal amount of nonce requests
(1 per 2 seconds) to the Z-Wave gateway, effectively blocking it
from issuing new nonces to other devices while the attack is run-
ning. This is due to the Z-Wave specification demanding a partici-
pant to wait for at least 3 and up-to 20 seconds for the reply of the
device requesting the nonce and the fact that the attacker can spoof
any device within the network. This attack relies on a spoofable
device NodeID and therefore a device which has been successfully
included but is offline during the attack. This does include devices,
which have not been correctly excluded using the smartphone app,
e.g. a smart power socket. This attack can be used to target specific
networks while leaving others untouched and only needs a minimum
amount of packets compared to jamming attacks to block a controller
/ device.

## Vulnerarbility Type: 

DoS

## Vendor of Product: 

Silicon Labs (manufacturer of the Z-Wave ZW5xx SoC used in the
specific product tested)

## Specific Product tested: 

(Amazon) Ring Alarm Security Kit, 5 piece

## Affected product codebase: 

Unknown, affects both S0 and S2 Z-Wave networks of Gen. 5 of
the Z-Wave specification; S2 only if S0 connections, especially S0
NonceGet, are allowed by the gateway.

## Attack Type: 

Local attack, attacker needs to be in range of the victims Z-Wave
network.

## Impact: 

Complete Denial of Service against the target network, rendering it
unusable for the duration of the attack. The network resumes opera-
tion after the attack without noticeable traces. There seems to be no
limitation to the attack duration. The attack only needs to minimum
amount of packets to start the blocking process. The controller stays
blocked till all requests in its incoming buffer have been timeouted,
even if the attacker is no longer sending.
File Snapshot

 [4.0K]  /data/pocs/a7a5be2b66a685737b3305ab82ec3041c1e73858
├── [1.5M]  CVE-2022-24611-report.pdf
└── [2.2K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.