MidnightBSD

Advisories for owletcare

CVE-2023-6321

A command injection vulnerability exists in the IOCTL that manages OTA updates. A specially crafted command can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-requests@bitdefender.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
throughtek kalay_platform -
owletcare cam_2_firmware *
owletcare cam_firmware *
CVE-2023-6323

ThroughTek Kalay SDK does not verify the authenticity of received messages, allowing an attacker to impersonate an authoritative server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-requests@bitdefender.com 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
wyze cam_v3_firmware 4.36.11.5859
throughtek kalay_platform -
roku indoor_camera_se_firmware 3.0.2.4679
owletcare cam_2_firmware *
owletcare cam_firmware *
CVE-2023-6324

ThroughTek Kalay SDK uses a predictable PSK value in the DTLS session when encountering an unexpected PSK identity

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-requests@bitdefender.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
wyze cam_v3_firmware 4.36.11.5859
throughtek kalay_platform -
roku indoor_camera_se_firmware 3.0.2.4679
owletcare cam_2_firmware *
owletcare cam_firmware *