CVE-2022-25989

Vulnerability

The Eufy Homebase 2 (version 2.1.8.5h) contains an authentication bypass vulnerability in the libxm_av.so library's getpeermac() function. This function is used to authenticate smarthome devices connecting to the Homebase's hidden WiFi hotspot. By sending a specially-crafted DHCP packet, an attacker can bypass the MAC-based authentication check. The vulnerability is classified as CWE-290 (Authentication Bypass by Spoofing) [1].

Exploitation

An attacker must be within range of the Homebase 2's hidden WiFi network (typically used for smarthome device communication). No authentication is required to send DHCP packets on that network. The attacker performs DHCP poisoning by responding to DHCP requests with a crafted packet that spoofs the MAC address of a legitimate device. This causes the getpeermac() function to return the spoofed MAC, granting the attacker access as if they were a trusted device [1].

Impact

Successful exploitation allows the attacker to bypass authentication and impersonate a legitimate smarthome device. This can lead to unauthorized access to the Homebase 2's internal network, potentially allowing the attacker to interact with other connected devices, exfiltrate video data, or disrupt operations. The CVSSv3 score is 7.1 (High) with impacts to confidentiality, integrity, and availability [1].

Mitigation

As of the publication date (2022-05-05), the vendor had not released a patch. The confirmed vulnerable version is 2.1.8.5h. Users should monitor for firmware updates from Anker/Eufy. No workaround is documented. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].