CVE-2024-32928

The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices which enabled a potential man-in-the-middle attack on requests to Google cloud services by any host the traffic was routed through.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://support.google.com/product-documentation/answer/14771247?hl=en&ref_topic=12974021&sjid=9111851316942032590-NA#zippy=	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:google:nest_mini_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:google:nest_mini:-:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:haxx:libcurl:-:*:*:*:*:*:*:*

History

14 Mar 2025, 16:15

Type	Values Removed	Values Added
CWE		CWE-295

20 Aug 2024, 16:13

Type	Values Removed	Values Added
References	~~() https://support.google.com/product-documentation/answer/14771247?hl=en&ref_topic=12974021&sjid=9111851316942032590-NA#zippy= -~~	() https://support.google.com/product-documentation/answer/14771247?hl=en&ref_topic=12974021&sjid=9111851316942032590-NA#zippy= - Vendor Advisory
CPE		cpe:2.3:h:google:nest_mini:-:::::::* cpe:2.3:o:google:nest_mini_firmware:-:::::::* cpe:2.3:a:haxx:libcurl:-:::::::*
Summary		(es) La opción libcurl CURLOPT_SSL_VERIFYPEER se deshabilitó en un subconjunto de solicitudes realizadas por dispositivos de producción Nest, lo que permitió un posible ataque de intermediario en solicitudes a los servicios en la nube de Google por parte de cualquier host por el que se enrutara el tráfico.
First Time		Google nest Mini Firmware Haxx Google Haxx libcurl Google nest Mini
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.9
CWE		NVD-CWE-noinfo

19 Aug 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-19 17:15

Updated : 2025-03-14 16:15

NVD link : CVE-2024-32928

Mitre link : CVE-2024-32928

CVE.ORG link : CVE-2024-32928

JSON object : View

Products Affected

google

nest_mini_firmware
nest_mini

haxx

libcurl

CWE

NVD-CWE-noinfo CWE-295

Improper Certificate Validation

{"id": "CVE-2024-32928", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2024-08-19T17:15:07.557", "references": [{"url": "https://support.google.com/product-documentation/answer/14771247?hl=en&ref_topic=12974021&sjid=9111851316942032590-NA#zippy=", "tags": ["Vendor Advisory"], "source": "dsap-vuln-management@google.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices which enabled a potential man-in-the-middle attack on requests to Google cloud services by any host the traffic was routed through."}, {"lang": "es", "value": "La opci\u00f3n libcurl CURLOPT_SSL_VERIFYPEER se deshabilit\u00f3 en un subconjunto de solicitudes realizadas por dispositivos de producci\u00f3n Nest, lo que permiti\u00f3 un posible ataque de intermediario en solicitudes a los servicios en la nube de Google por parte de cualquier host por el que se enrutara el tr\u00e1fico."}], "lastModified": "2025-03-14T16:15:31.157", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:nest_mini_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BDFD7974-8108-4FBD-A70C-3EBE70EC8A4E"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:google:nest_mini:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4D380EB7-288F-420B-A971-CBDF91AEE8BF"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:haxx:libcurl:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9D43957B-3D81-4334-9C2C-819F8B322FC7"}], "operator": "OR"}]}], "sourceIdentifier": "dsap-vuln-management@google.com"}