Cisco Talos
has uncovered multiple vulnerabilities in the Nest Cam IQ Indoor camera that
can enable a denial of service situation or enable code execution for an
unauthorized user.

Version 4620002
camera is affected by the vulnerabilities
and Cisco Talos has revealed and worked with the NEST team so a patch is available.

The two most
critical issues are CVE-2019-5035, which holds a CVSS 9.0 rating and CVE-2019-5040,
CVSS 8.5.

The first
issue is exploitable information disclosure vulnerability in the Weave PASE
pairing functionality camera which can be exploited by a set of specially
crafted weave packets that can brute force a pairing code, resulting in greater
Weave access and potentially full device control. This can be triggered when an
attacker sends specially crafted packets.

CVE-2019-5040
can also be exploited through specially crafted weave packets. In this case an
exploitable information disclosure vulnerability exists in the Weave
MessageLayer parsing of Openweave-core version 4.0.2 and the Nest Cam resulting
in PacketBuffer data reuse enabling possible information disclosure.

The less
critical vulnerabilities are:

  • CVE-2019-5043
    – a TCP connection denial-of-service vulnerability.
  • CVE-2019-5034
    – a pairing information disclosure vulnerability.
  • CVE-2019-5036
    – a denial-of-service vulnerability.
  • CVE-2019-5037
    – a denial-of-service vulnerability.
  • CVE-2019-5038
    – a code execution vulnerability.
  • CVE-2019-5039
    – code execution vulnerability.