[Japanese]

JVNDB-2023-000026

Qrio Smart Lock Q-SL2 vulnerable to authentication bypass by capture-replay

Overview

Qrio Smart Lock Q-SL2 provided by Qrio, inc. contains an authentication bypass by capture-replay vulnerability (CWE-294).

Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 3.1 (Low) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 1.8 (Low) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Qrio, inc.
  • Qrio Lock (Q-SL2) firmware version 2.0.9 and earlier

Impact

An attacker may analyze the product's communication data and perform unintended operations under certain conditions.
Solution

[Update the firmware and related products]
Update the firmware and related products to the latest version according to the information provided by the developer.
Vendor Information

Qrio, inc.
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-25946
References

  1. JVN : JVN#48687031
Revision History

  • [2023/05/18]
      Web page was published

Date Public2023/05/18
Date First Published2023/05/18
Date Last Updated2023/05/18