MidnightBSD

Advisories for ecobee

CVE-2018-6402 LOW

Ecobee Ecobee4 4.2.0.171 devices can be forced to deauthenticate and connect to an unencrypted Wi-Fi network with the same SSID, even if the device settings specify use of encryption such as WPA2, as long as the competing network has a stronger signal. An attacker must be able to set up a nearby SSID, similar to an "Evil Twin" attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: LOW

Problem Type: CWE-327,

Products Affected

Vendor Product Version
ecobee ecobee4_firmware 4.2.0.171
CVE-2021-27952 MEDIUM

Hardcoded default root credentials exist on the ecobee3 lite 4.5.81.200 device. This allows a threat actor to gain access to the password-protected bootloader environment through the serial console.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
ecobee ecobee3_lite_firmware 4.5.81.200
CVE-2021-27953 HIGH

A NULL pointer dereference vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to cause a denial of service, forcing the device to reboot via a crafted HTTP request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-476,

Products Affected

Vendor Product Version
ecobee ecobee3_lite_firmware 4.5.81.200
CVE-2021-27954 MEDIUM

A heap-based buffer overflow vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HKProcessConfig function of the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to force the device to connect to a SSID or cause a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H 3.9 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
ecobee ecobee3_lite_firmware 4.5.81.200