CVEs
Shenzhen Yunni Technology iLnkP2P
CVE-2019-11219
- Severity: 9.0 (Critical) (CVSS3.1 Score)The algorithm used to generate device IDs (UIDs) for devices that utilize Shenzhen Yunni Technology iLnkP2P suffers from a predictability flaw that allows remote attackers to establish direct connections to arbitrary devices.
CVE-2019-11220
- Severity: 9.6 (Critical) (CVSS3.1 Score)An authentication flaw in Shenzhen Yunni Technology iLnkP2P allows remote attackers to actively intercept user-to-device traffic in cleartext, including video streams and device credentials.
Disclosure Timeline
| Feb. 4, 2019: | Advisory issued to vendor (no response received) |
| Feb. 14, 2019: | 2nd advisory issued to vendor (no response received) |
| Feb. 19, 2019: | Vulnerabilities reported to CERT/CC |
| Apr. 1, 2019: | CNCERT/CC attempts to contact vendor (no response received) |
| Apr. 24, 2019: | Public disclosure |
CS2 Network P2P
CVE-2020-9525
- Severity: 9.6 (Critical) (CVSS3.1 Score)CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an authentication flaw that allows remote attackers to perform a man-in-the-middle attack, as demonstrated by eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
CVE-2020-9526
- Severity: 9.6 (Critical) (CVSS3.1 Score)CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an information exposure flaw that exposes user session data to supernodes in the network, as demonstrated by passively eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
Disclosure Timeline
| Feb. 24, 2020: | Advisory issued to vendor |
| Feb. 24, 2020: | Vendor states vulnerabilities will be resolved in CS2 Network P2P v4.0 |
| Aug. 5, 2020: | Public disclosure |
Shenzhen Hichip Vision Technology
CVE-2020-9527
- Severity: 9.0 (Critical) (CVSS3.1 Score)Firmware developed by Shenzhen Hichip Vision Technology (versions 2018-08-09 through 2020-06-29), as used by many different vendors in millions of Internet of Things devices, suffers from buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code via the peer-to-peer (P2P) service.
CVE-2020-9528
- Severity: 9.6 (Critical) (CVSS3.1 Score)Firmware developed by Shenzhen Hichip Vision Technology (versions before 2020-06-29), as used by many different vendors in millions of Internet of Things devices, suffers from cryptographic issues that allow remote attackers to access user session data, as demonstrated by eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
CVE-2020-9529
- Severity: 9.6 (Critical) (CVSS3.1 Score)Firmware developed by Shenzhen Hichip Vision Technology (versions before 2020-06-29), as used by many different vendors in millions of Internet of Things devices, suffers from a privilege escalation vulnerability that allows attackers on the local network to reset the device’s administrator password.
Disclosure Timeline
| Jan. 15, 2020: | Advisory issued to vendor |
| Jan. 17, 2020: | Vendor states they are investigating vulnerabilities |
| Feb. 24, 2020: | Vendor commits to patching vulnerabilities |
| Jul. 10, 2020: | Vulnerabilities confirmed resolved |
| Aug. 5, 2020: | Public disclosure |