CVE-2024-40892

Firewalla BTLE Weak Credentials

CVSS 7.1 HIGHEPSS 0.9%CWE-1391

In short

Firewalla devices before version 1.979 use weak credentials over Bluetooth that allow someone nearby to sniff or read the device's UUID, then use it to add SSH access and take control of the device's network.

Technical detail

A Bluetooth Low-Energy (BTLE) authentication mechanism uses the device's license UUID as a credential, which can be obtained via passive sniffing, QR code reading, or brute-force enumeration. An attacker within Bluetooth range can provision SSH credentials and subsequently access the device's LAN interface, leading to full system compromise.

Summary generated and translated by AI from the official description.

A weak credential vulnerability exists in Firewalla Box Software versions before 1.979. This vulnerability allows a physically close attacker to use the license UUID for authentication and provision SSH credentials over the Bluetooth Low-Energy (BTLE) interface. Once an attacker gains access to the LAN, they could log into the SSH interface using the provisioned credentials. The license UUID can be acquired through plain-text Bluetooth sniffing, reading the QR code on the bottom of the device, or brute-forcing the UUID (though this is less likely).

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Firewalla · Box Software

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://vulncheck.com/advisories/firewalla-bt-weak-credentials https://www.labs.greynoise.io/grimoire/2024-08-20-bluuid-firewalla/