Cyber Resilience

CVE-2021-38545

MediumPublic PoC

Published: 11 August 2021

Published
11 August 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0029 53.0th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-38545 is a medium-severity an unspecified weakness vulnerability in Raspberrypi Raspberry Pi 4 Model B Firmware. Its CVSS base score is 5.9 (Medium).

Operationally, ranked in the top 47.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Raspberry Pi 3 B+ and 4 B devices through 2021-08-09, in certain specific use cases in which the device supplies power to audio-output equipment, allow remote attackers to recover speech signals from an LED on the device, via a telescope…

more

and an electro-optical sensor, aka a "Glowworm" attack. We assume that the Raspberry Pi supplies power to some speakers. The power indicator LED of the Raspberry Pi is connected directly to the power line, as a result, the intensity of a device's power indicator LED is correlative to the power consumption. The sound played by the speakers affects the Raspberry Pi's power consumption and as a result is also correlative to the light intensity of the LED. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LED of the Raspberry Pi, we can recover the sound played by the speakers.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

raspberrypi
raspberry pi 4 model b firmware
≤ 2021-08-09
raspberrypi
raspberry pi 3 model b\+ firmware
≤ 2021-08-09

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References