CVE-2022-46496 - Missing TLS Certificate Validation in DoorEntry HOMETOUCH for iOS

1. Vulnerability Properties

Title: Missing TLS Certificate Validation in DoorEntry HOMETOUCH for iOS
CVE ID: CVE-2022-46496
CVSSv3 Base Score: 7.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Products: BTicino DoorEntry HOMETOUCH for iOS
Advisory Release Date: 6 February 2023
Advisory URL: https://labs.integrity.pt/advisories/cve-2022-46496
Credits: Discovery by Bruno Morisson

2. Vulnerability Summary

The application does not correctly validate TLS certs when connecting to a specific endpoint, making it possible to perform MITM attacks and obtain user login credentials.

3. Vulnerable Versions

  • < 1.5.1

4. Solution

  • Upgrade to version 1.5.1

5. Vulnerability Timeline

  • 25/Nov/22 - Vulnerability reported to vendor
  • 30/Nov/22 - Vendor acknowledged report
  • 23/Jan/23 - Version 1.5.1 with fix released
  • 05/Feb/23 - Vendor informed that new version had been released
  • 06/Feb/23 - Advisory published

6. References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-46496


© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.