Security policy and Security Advisories
Security of our products is high priority for us. However, as we all know, no matter how much effort is put into product security, no product can be 100% secure. Using our security advisories want to provide customers with timely information and risk mitigation advices to minimize the risks associated with security threats. We recommend that customers use the latest available version of the software and firmware. Firmware and software updates should be downloaded from reputable sources only like a COMET webpages of directly obtained from technical support. Any questions related to COMET products and security threats may to be addressed to technical support.
How to report a potential security vulnerability
We wants to learn about any potential security issues impacting our products so that we can take the necessary steps to promptly address them. To report a potential securely vulnerability, please contact our security team via technical support. Your report should be in English. Because vulnerability information are extremely sensitive, do not provide them directly via email. Please contact us, and we will provide you secure way how to report them.
Report handling process
Once report is submitted, submitted report will be managed according to following process:
- Reporting new vulnerability - contact technical support about found potential security vulnerability. They will provide you a way how to securely sent details
- Evaluating - once we will acknowledge receiving of detail information about potential security vulnerability, we will analyse them to understand impact to COMET products
- Remediation - confirmed security issues will be mitigated by the appropriate actions
- Disclosure - where appropriate, we will disclose information about verified vulnerability by the security advisory or a bulletin
Public security advisories
Below is list of publicly provided security advisories. List may to contain commonly know CVE which does not have impact to COMET products.
DATE | DESCRIPTION | IMPACT TO COMET PRODUCTS |
2022-02-16 | Ping Utility Vulnerability |
WiFi sensors Wx7xx (firmware version 10.0.3.0 and lower) |
CVE-2021-21966 |
It was found security vulnerability related to SoC used at WiFi sensors. This vulnerability affects Ping utility inside http server. We have confirmed that WiFi sensors with firmware version 10.0.3.0 and lower are affected by this vulnerability. From this reason we strongly recommand to update firmware to 10.0.4.0 or higher. Latest firmware for WiFi sensors is available at COMET webpages. | |
2022-02-07 | Samba vulnerability | No impact |
CVE-2021-44142 |
COMET does not use Samba (open-source implementation of SMB protocol) at any end-users software or firmware. No additional measures in relation to COMET devices or software are required. | |
2021-12-13 | Apache Log4j 2.x vulnerabilities | No impact |
CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 |
COMET does not use Log4j library at any end-users software or firmware. No additional measures in relation to COMET devices or software are required. | |
2021-05-15 | WiFi FragAttacks vulnerabilities | WiFi sensors Wx7xx (firmware version 10.0.2.0 and lower) |
CVE-2020-24588, CVE-2020-26140, CVE-2020-26143 | FragAttacks is name for vulnerabilities related to WiFi standard and its implementation disclosed by security researcher Mathy Vanhoef at May 11, 2021. WiFi sensors with firmware version 10.0.2.0 and lower may to be affected by this vulnerabilities. We are not aware about any potential attack vector for WiFi sensors, but we strongly recommend update firmware version to 10.0.2.1 or higher. Firmware which solve these potential issues is available at COMET webpages. |
|
2021-04-29 | Potential memory allocation vulnerabilities | WiFi sensors Wx7xx (firmware version 10.0.1.1 and lower) |
CVE-2021-22636, CVE-2021-27429, CVE-2021-27502 | Memory allocation vulnerabilities were found at 3rd party development environment used for development of WiFi sensors. At present time we are not aware any way how to exploit this potential vulnerabilities at WiFi sensors. But we strongly recommand to update firmware to 10.0.2.0 or higher. Latest firmware for WiFi sensors is available at COMET webpages. | |
2020-12-09 | Vulnerabilities at TCP/IP stack AMNESIA:33 | No impact |
CVE description | COMET does not use TCP/IP stacks (uIP, FNET, picoTCP, Nut/Net) inside any device. No additional measures in relation to COMET devices are required. | |