Details of VAR-202107-0329

ID

VAR-202107-0329

CVE

CVE-2021-22779

TITLE

plural Schneider Electric Product spoofing authentication evasion vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-009773

DESCRIPTION

Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), SCADAPack RemoteConnect for x70 (all versions), Modicon M580 CPU (all versions - part numbers BMEP* and BMEH*), Modicon M340 CPU (all versions - part numbers BMXP34*), that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller. plural Schneider Electric The product contains a vulnerability in spoofing authentication bypass.Information may be obtained and information may be tampered with. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.25

sources: NVD: CVE-2021-22779 // JVNDB: JVNDB-2021-009773 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-22779

AFFECTED PRODUCTS

vendor:	schneider electric	model:	remoteconnect	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep584040	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep586040	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp342010	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep586040c	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	ecostruxure control expert	scope:	lt	version:	15.0	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep581020h	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep582020	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp342020	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmeh584040s	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmeh582040s	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep583040	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmeh584040c	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp342030	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep582040h	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep583020	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	ecostruxure control expert	scope:	eq	version:	15.0	Trust: 1.0
vendor:	schneider electric	model:	ecostruxure process expert	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmeh582040	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep582040	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmeh586040c	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmeh584040	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmeh586040s	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep581020	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep584020	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmeh586040	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep582040s	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep585040	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep585040c	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmeh582040c	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep584040s	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp341000	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep582020h	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	modicon m580 bmep582040h	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m580 bmep582020h	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m580 bmep582020	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	remoteconnect	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m580 bmep582040s	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m580 bmep582040	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	ecostruxure process expert	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m580 bmep581020h	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	ecostruxure control expert	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	modicon m580 bmep581020	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-009773 // NVD: CVE-2021-22779

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2021-22779
value:	CRITICAL
Trust: 1.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202107-1031
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2021-22779
value:	MEDIUM
Trust: 0.1

NVD:	CVE-2021-22779
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.9

NVD:	CVE-2021-22779
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-22779
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2021-22779 // JVNDB: JVNDB-2021-009773 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1031 // NVD: CVE-2021-22779

PROBLEMTYPE DATA

problemtype:	CWE-290	Trust: 1.0
problemtype:	Avoid authentication by spoofing (CWE-290) [ Other ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-009773 // NVD: CVE-2021-22779

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202107-1031

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1031

CONFIGURATIONS

sources: NVD: CVE-2021-22779

PATCH

title:

SEVD-2021-194-01

url:

https://download.schneider-electric.com/files?p_doc_ref=sevd-2021-194-01

Trust: 0.8

sources: JVNDB: JVNDB-2021-009773

EXTERNAL IDS

db:	NVD	id:	CVE-2021-22779	Trust: 3.3
db:	SCHNEIDER	id:	SEVD-2021-194-01	Trust: 1.7
db:	JVN	id:	JVNVU97215148	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-009773	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021071415	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2406	Trust: 0.6
db:	CNNVD	id:	CNNVD-202107-1031	Trust: 0.6
db:	VULMON	id:	CVE-2021-22779	Trust: 0.1

sources: VULMON: CVE-2021-22779 // JVNDB: JVNDB-2021-009773 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1031 // NVD: CVE-2021-22779

REFERENCES

url:	http://download.schneider-electric.com/files?p_doc_ref=sevd-2021-194-01	Trust: 1.7
url:	https://jvn.jp/vu/jvnvu97215148/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-22779	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021071415	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2406	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/290.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2021-22779 // JVNDB: JVNDB-2021-009773 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1031 // NVD: CVE-2021-22779

SOURCES

db:	VULMON	id:	CVE-2021-22779
db:	JVNDB	id:	JVNDB-2021-009773
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202107-1031
db:	NVD	id:	CVE-2021-22779

LAST UPDATE DATE

2022-05-21T20:53:59.998000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2021-22779	date:	2021-07-26T00:00:00
db:	JVNDB	id:	JVNDB-2021-009773	date:	2022-05-19T08:51:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202107-1031	date:	2021-08-12T00:00:00
db:	NVD	id:	CVE-2021-22779	date:	2021-07-26T17:20:00

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2021-22779	date:	2021-07-14T00:00:00
db:	JVNDB	id:	JVNDB-2021-009773	date:	2022-05-19T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202107-1031	date:	2021-07-14T00:00:00
db:	NVD	id:	CVE-2021-22779	date:	2021-07-14T15:15:00