CVE-2023-6949 in Mini 3 Pro
Summary
by MITRE • 04/02/2024
** DISPUTED ** A Missing Authentication for Critical Function issue affecting the HTTP service running on the DJI Mavic Mini 3 Pro on the standard port 80 could allow an attacker to enumerate and download videos and pictures saved on the drone internal or external memory without requiring any kind of authentication.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/02/2024
The CVE-2023-6949 vulnerability represents a critical authentication flaw in the HTTP service of DJI Mavic Mini 3 Pro drones, operating on the standard port 80. This issue falls under the CWE-306 category of Missing Authentication for Critical Function, where essential security controls are entirely absent from functions that should be protected. The vulnerability exists within the drone's web interface implementation, specifically targeting the media retrieval functionality that allows access to stored video and image files. The flaw demonstrates a fundamental failure in the device's security architecture where unauthorized access to sensitive user data is possible through unauthenticated HTTP requests.
The technical exploitation of this vulnerability occurs through direct network access to the drone's HTTP service without requiring any credentials or authentication mechanisms. Attackers can enumerate the file system structure and download media content stored both internally and externally on the device's memory storage. This unauthenticated access bypasses all intended security controls and represents a complete failure of the device's access control mechanisms. The vulnerability is particularly concerning because it affects the core functionality of the drone's media management system, exposing user-generated content without any form of authorization verification.
The operational impact of CVE-2023-6949 extends beyond simple data exposure, as it compromises the privacy and security of users who rely on the drone for personal or professional media capture. The vulnerability affects both internal and external storage media, meaning that any photos or videos stored on the device are potentially accessible to unauthorized parties. This exposure could lead to privacy violations, intellectual property theft, or sensitive information disclosure depending on the nature of the captured media. The vulnerability's impact is amplified by the fact that it operates on the standard HTTP port 80, making it easily discoverable and exploitable through common network scanning tools and techniques.
Security professionals should note that this vulnerability aligns with ATT&CK technique T1046 for Network Service Scanning and T1566 for Phishing, as attackers could discover and exploit this service to gain unauthorized access to user data. The lack of authentication mechanisms represents a clear violation of security best practices and demonstrates poor implementation of secure coding principles. Organizations and individuals using DJI Mavic Mini 3 Pro devices should immediately implement network segmentation to prevent unauthorized access to these devices and consider disabling unnecessary HTTP services when not actively required. The vulnerability also highlights the importance of proper access control implementation in IoT devices and emphasizes the need for robust authentication mechanisms even for seemingly benign services.
This vulnerability type is particularly dangerous in the context of drone security because it enables complete media theft without requiring specialized tools or advanced exploitation techniques. The exposure of stored media content could include sensitive personal information, business data, or copyrighted material that could be monetized or used for malicious purposes. The vulnerability's impact is further compounded by the fact that many users may not be aware of the exposed service or its security implications, making it an attractive target for automated exploitation campaigns. The issue represents a fundamental failure in the device's security model and requires immediate remediation through firmware updates or network-level controls to prevent unauthorized access to stored media content.