The 2nd generation version of Belkin’s Wemo Mini Smart Plug has been found to contain a buffer overflow vulnerability. This vulnerability could be weaponized by a threat actor to remotely inject arbitrary commands.
Issues with assigned identifiers CVE-2023-27217was discovered by Israeli IoT security firm Sternum and reported to Belkin on January 9, 2023 to reverse engineer the device and gain access to its firmware.
The Wemo Mini Smart Plug V2 (F7C063) provides a convenient remote control that allows users to turn their electronic devices on and off using a companion app installed on their smartphone or tablet.
The crux of the problem lies in the ability to rename smart plugs to more “”.friendly name.” The default name assigned is “Wimo Mini 6E9. ”
“Name length is limited to 30 characters or less, but this rule is only enforced by the app itself,” security researchers Amit Serper and Reuven Yakar said in a report shared with The Hacker News. Code stating and adding that the validation was not applied by the firmware.
As a result, using a Python module named pyWeMo to circumvent the character limit can lead to a buffer overflow condition, which can certainly be abused to crash the device or trick code into malicious code. It can take over control by executing commands.
Following the findings, Belkin said it had no plans to address the flaw, citing the fact that the device was nearing end-of-life (EoL) and being replaced by a newer model.
“It appears that this vulnerability could be triggered via a cloud interface (i.e. without a direct connection to the device),” the researchers warned.
In the absence of a fix, users of the Wemo Mini Smart Plug V2 are advised to avoid direct exposure to the Internet and ensure proper segmentation measures are implemented when deployed on sensitive networks.
“This is what happens when devices are shipped without on-device protection. Absolutely, it means you’re always one step behind the attackers.There will be no more patches,” said Igal Zeifman, Sternum’s vice president of marketing.
