Details of VAR-202106-1962

ID

VAR-202106-1962

CVE

CVE-2021-32934

TITLE

ThroughTek Made P2P SDK vulnerability to transmitting sensitive information in plain text

Trust: 0.8

sources: JVNDB: JVNDB-2021-001889

DESCRIPTION

The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds. ThroughTek Provided by the company P2P Software Development Kit (SDK) contains a vulnerability in which sensitive information may be transmitted in plain text. P2P Software Development Kit (SDK) provides the ability to access audio and video streams over the Internet. ThroughTek This is a development kit manufactured by the company. SDK The company said that data transferred between the device and its servers is not adequately protected, and that sensitive information is transmitted in plain text. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.25

sources: NVD: CVE-2021-32934 // JVNDB: JVNDB-2021-001889 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-32934

IOT TAXONOMY

category:

['camera device']

sub_category:

camera

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:	throughtek	model:	kalay p2p software development kit	scope:	lte	version:	3.1.5	Trust: 1.0
vendor:	throughtek	model:	p2p software development kit	scope:	eq	version:	p2ptunnel or rdt firmware for devices that use the module	Trust: 0.8
vendor:	throughtek	model:	p2p software development kit	scope:	lte	version:	v3.1.5 and earlier	Trust: 0.8
vendor:	throughtek	model:	p2p software development kit	scope:	eq	version:	dtls do not enable avapi firmware for devices that use the module	Trust: 0.8
vendor:	throughtek	model:	p2p software development kit	scope:	eq	version:	nossl tagged sdk of	Trust: 0.8
vendor:	throughtek	model:	p2p software development kit	scope:	eq	version:	-	Trust: 0.8
vendor:	throughtek	model:	p2p software development kit	scope:	eq	version:	iotc to connect to authkey firmware for devices that do not use	Trust: 0.8

sources: JVNDB: JVNDB-2021-001889 // NVD: CVE-2021-32934

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-32934
value:	HIGH
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-32934
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-32934
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202106-1289
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-32934
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-32934
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2021-32934
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-32934
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.1
Trust: 1.0
IPA:	JVNDB-2021-001889
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2021-32934 // JVNDB: JVNDB-2021-001889 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1289 // NVD: CVE-2021-32934 // NVD: CVE-2021-32934

PROBLEMTYPE DATA

problemtype:	CWE-319	Trust: 1.0
problemtype:	Sending important information in clear text (CWE-319) [IPA evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-001889 // NVD: CVE-2021-32934

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-1289

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	ThroughTek ’ s advisory	url:	https://www.throughtek.com/about-throughteks-kalay-platform-security-mechanism/	Trust: 0.8
title:	ThroughTek P2P SDK Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=154091	Trust: 0.6
title:	Threatpost	url:	https://threatpost.com/millions-connected-cameras-eavesdropping/166950/	Trust: 0.1

sources: VULMON: CVE-2021-32934 // JVNDB: JVNDB-2021-001889 // CNNVD: CNNVD-202106-1289

EXTERNAL IDS

db:	NVD	id:	CVE-2021-32934	Trust: 3.4
db:	ICS CERT	id:	ICSA-21-166-01	Trust: 2.5
db:	JVN	id:	JVNVU91747873	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-001889	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021061602	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2138	Trust: 0.6
db:	CNNVD	id:	CNNVD-202106-1289	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1
db:	VULMON	id:	CVE-2021-32934	Trust: 0.1

sources: OTHER: None // VULMON: CVE-2021-32934 // JVNDB: JVNDB-2021-001889 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1289 // NVD: CVE-2021-32934

REFERENCES

url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-01	Trust: 1.7
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01	Trust: 1.4
url:	http://jvn.jp/cert/jvnvu91747873	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-32934	Trust: 0.8
url:	https://www.nozominetworks.com/blog/new-iot-security-risk-throughtek-p2p-supply-chain-vulnerability/	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021061602	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2138	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2021-32934/	Trust: 0.6
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/319.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/millions-connected-cameras-eavesdropping/166950/	Trust: 0.1

sources: OTHER: None // VULMON: CVE-2021-32934 // JVNDB: JVNDB-2021-001889 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1289 // NVD: CVE-2021-32934

CREDITS

Nozomi Networks reported this vulnerability to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202106-1289

SOURCES

db:	OTHER	id:	-
db:	VULMON	id:	CVE-2021-32934
db:	JVNDB	id:	JVNDB-2021-001889
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202106-1289
db:	NVD	id:	CVE-2021-32934

LAST UPDATE DATE

2025-01-30T20:48:53.455000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2021-32934	date:	2022-06-06T00:00:00
db:	JVNDB	id:	JVNDB-2021-001889	date:	2024-06-20T01:55:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202106-1289	date:	2022-06-08T00:00:00
db:	NVD	id:	CVE-2021-32934	date:	2022-06-06T15:48:00.817

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2021-32934	date:	2022-05-19T00:00:00
db:	JVNDB	id:	JVNDB-2021-001889	date:	2021-06-17T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202106-1289	date:	2021-06-15T00:00:00
db:	NVD	id:	CVE-2021-32934	date:	2022-05-19T18:15:09.237