Lilith Wyatt and Claudio Bozzato of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered multiple vulnerabilities in the Nest Cam IQ Indoor camera. One of Nest Labs’ most advanced internet-of-things devices, the Nest Cam IQ Indoor integrates Security-Enhanced Linux in Android, Google Assistant, and even facial recognition all into a compact security camera. It primarily uses the Weave protocol for setup and initial communications with other Nest devices over TCP, UDP, Bluetooth and 6lowpan. Most of these vulnerabilities lie in the weave binary of the camera, however, there are some that also apply to the weave-tool binary. It is important to note that while the

weave-tool binary also lives on the camera and is vulnerable, it is not normally exploitable as it requires a local attack vector (i.e. an attacker-controlled file) and the vulnerable commands are never directly run by the camera.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Weave and Nest Labs to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details Nest Labs Nest Cam IQ Indoor Weave TCP connection denial-of-service vulnerability (TALOS-2019-0810/CVE-2019-5043)

An exploitable denial-of-service vulnerability exists in the Weave daemon of the Nest Cam IQ Indoor, version 4620002. A set of TCP connections can cause unrestricted resource allocation, resulting in a denial of service. An attacker can connect multiple times to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Nest Labs Nest Cam IQ Indoor Weave legacy pairing information disclosure vulnerability (TALOS-2018-0797/CVE-2019-5034)

An exploitable information disclosure vulnerability exists in the Weave legacy pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted Weave packets can cause an out-of-bounds read, resulting in information disclosure. An attacker can send specially crafted packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Nest Labs Nest Cam IQ Indoor Weave PASE pairing brute force vulnerability (TALOS-2018-0798/CVE-2019-5035)

An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker can send specially crafted packets to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Nest Labs Nest Cam IQ Indoor Weave KeyError denial-of-service vulnerability (TALOS-2018-0799/CVE-2019-5036)

An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packet can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially crafted packet to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Nest Labs Nest Cam IQ Indoor WeaveCASEEngine::DecodeCertificateInfo denial-of-service vulnerability (TALOS-2018-0800/CVE-2019-5037)

An exploitable denial-of-service vulnerability exists in the Weave certificate loading functionality of the Nest Cam IQ Indoor camera, version 4620002. A specially crafted weave packet can cause an integer overflow and an out-of-bounds read to occur on unmapped memory, resulting in a denial of service. An attacker can send a specially crafted packet to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Nest Labs Openweave Weave tool Print-TLV code execution vulnerability (TALOS-2018-0801/CVE-2019-5038)

An exploitable command execution vulnerability exists in the print-tlv command of Weave tool. A specially crafted weave TLV can trigger a stack-based buffer overflow, resulting in code execution. An attacker can trigger this vulnerability by convincing the user to open a specially crafted Weave command.

Read the complete vulnerability advisory here for additional information.

Nest Labs Openweave Weave ASN1Writer PutValue code execution vulnerability (TALOS-2018-0802/CVE-2019-5039)

An exploitable command execution vulnerability exists in the ASN1 certificate writing functionality of Openweave-core, version 4.0.2. A specially crafted weave certificate can trigger a heap-based buffer overflow, resulting in code execution. An attacker can exploit this vulnerability by tricking the user into opening a specially crafted Weave.

Read the complete vulnerability advisory here for additional information.

Nest Labs Openweave Weave DecodeMessageWithLength information disclosure vulnerability (TALOS-2018-0803/CVE-2019-5040)

An exploitable information disclosure vulnerability exists in the Weave MessageLayer parsing of Openweave-core, version 4.0.2 and the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packet can cause an integer overflow to occur, resulting in PacketBuffer data reuse. An attacker can send a packet to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested Talos tested and confirmed that version 4620002 of the Nest Labs IQ Indoor camera is affected by these vulnerabilities.


Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 49843 - 49855, 49797, 49798, 49801 - 49804, 49856, 49857, 49813 - 49816, 49912