Details of VAR-202106-1186

ID

VAR-202106-1186

CVE

CVE-2021-32930

TITLE

Advantech Made iView Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2021-001742

DESCRIPTION

The affected product’s configuration is vulnerable due to missing authentication, which may allow an attacker to change configurations and execute arbitrary code on the iView (versions prior to v5.7.03.6182). Advantech Provided by iView Is SNMP Base device management software. iView The following multiple vulnerabilities exist in. * Lack of authentication for important features (CWE-306) - CVE-2021-32930 ‥ * SQL injection (CWE-89) - CVE-2021-32932The expected impact depends on each vulnerability, but it may be affected as follows. - CVE-2021-32930 ‥ * Information in the system is stolen by a remote third party - CVE-2021-32932. Authentication is not required to exploit this vulnerability.The specific flaw exists within the runProViewUpgrade action of NetworkServlet, which listens on TCP port 8080 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of the service acccount. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. There is a security vulnerability in the iView 5.7.03.6182 version. The vulnerability is due to the lack of authentication in the program

Trust: 2.88

sources: NVD: CVE-2021-32930 // JVNDB: JVNDB-2021-001742 // ZDI: ZDI-21-648 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-392916

AFFECTED PRODUCTS

vendor:	advantech	model:	iview	scope:	lt	version:	5.7.03.6182	Trust: 1.0
vendor:	アドバンテック株式会社	model:	iview	scope:	eq	version:	-	Trust: 0.8
vendor:	アドバンテック株式会社	model:	iview	scope:	lt	version:	5.7.03.6182 earlier s	Trust: 0.8
vendor:	advantech	model:	iview	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-21-648 // JVNDB: JVNDB-2021-001742 // NVD: CVE-2021-32930

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-32930
value:	CRITICAL
Trust: 1.0
IPA:	JVNDB-2021-001742
value:	HIGH
Trust: 0.8
ZDI:	CVE-2021-32930
value:	CRITICAL
Trust: 0.7
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202106-259
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-392916
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-32930
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-392916
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-32930
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
IPA:	JVNDB-2021-001742
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2021-32930
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-21-648 // VULHUB: VHN-392916 // JVNDB: JVNDB-2021-001742 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-259 // NVD: CVE-2021-32930

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.1
problemtype:	Lack of authentication for important features (CWE-306) [IPA Evaluation ]	Trust: 0.8
problemtype:	SQL injection (CWE-89) [IPA Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-392916 // JVNDB: JVNDB-2021-001742 // NVD: CVE-2021-32930

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	Support & Download	url:	https://www.advantech.com/support/details/firmware?id=1-HIPU-183	Trust: 0.8
title:	Advantech has issued an update to correct this vulnerability.	url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-154-01	Trust: 0.7

sources: ZDI: ZDI-21-648 // JVNDB: JVNDB-2021-001742

EXTERNAL IDS

db:	NVD	id:	CVE-2021-32930	Trust: 3.2
db:	ICS CERT	id:	ICSA-21-154-01	Trust: 2.5
db:	ZDI	id:	ZDI-21-648	Trust: 1.3
db:	JVN	id:	JVNVU92160646	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-001742	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-11832	Trust: 0.7
db:	CNNVD	id:	CNNVD-202106-259	Trust: 0.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021060407	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1970	Trust: 0.6
db:	VULHUB	id:	VHN-392916	Trust: 0.1

sources: ZDI: ZDI-21-648 // VULHUB: VHN-392916 // JVNDB: JVNDB-2021-001742 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-259 // NVD: CVE-2021-32930

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-154-01	Trust: 3.8
url:	http://jvn.jp/cert/jvnvu92160646	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021060407	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1970	Trust: 0.6
url:	https://www.zerodayinitiative.com/advisories/zdi-21-648/	Trust: 0.6

sources: ZDI: ZDI-21-648 // VULHUB: VHN-392916 // JVNDB: JVNDB-2021-001742 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-259 // NVD: CVE-2021-32930

CREDITS

Selim Enes Karaduman (@Enesdex)

Trust: 1.3

sources: ZDI: ZDI-21-648 // CNNVD: CNNVD-202106-259

SOURCES

db:	ZDI	id:	ZDI-21-648
db:	VULHUB	id:	VHN-392916
db:	JVNDB	id:	JVNDB-2021-001742
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202106-259
db:	NVD	id:	CVE-2021-32930

LAST UPDATE DATE

2024-08-14T13:12:02.058000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-21-648	date:	2021-06-07T00:00:00
db:	VULHUB	id:	VHN-392916	date:	2021-06-23T00:00:00
db:	JVNDB	id:	JVNDB-2021-001742	date:	2021-06-07T03:01:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202106-259	date:	2021-06-15T00:00:00
db:	NVD	id:	CVE-2021-32930	date:	2021-06-23T16:07:34.457

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-21-648	date:	2021-06-07T00:00:00
db:	VULHUB	id:	VHN-392916	date:	2021-06-11T00:00:00
db:	JVNDB	id:	JVNDB-2021-001742	date:	2021-06-07T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202106-259	date:	2021-06-03T00:00:00
db:	NVD	id:	CVE-2021-32930	date:	2021-06-11T17:15:10.963