A vulnerability, which was classified as critical, has been found in Logitech Unifying Devices (version unknown). This issue affects an unknown function of the component Incomplete Fix CVE-2016-10761. The manipulation as part of a Key Combination leads to a injection vulnerability. Using CWE to declare the problem leads to CWE-74. The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Logitech Unifying devices allow keystroke injection, bypassing encryption. The attacker must press a "magic" key combination while sniffing cryptographic data from a Radio Frequency transmission. NOTE: this issue exists because of an incomplete fix for CVE-2016-10761.

The weakness was released 06/29/2019. The identification of this vulnerability is CVE-2019-13053 since 06/29/2019. The exploitation is known to be difficult. An attack has to be approached locally. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1055 for this issue.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

heise.de is providing further details. Entries connected to this vulnerability are available at 137083 and 137080.

Productinfo

Vendor

• Logitech

Name

• Unifying Devices

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion