Details of VAR-202111-0251

ID

VAR-202111-0251

CVE

CVE-2021-38416

TITLE

Delta Electronics DIALink Vulnerability regarding uncontrolled search path elements in

Trust: 0.8

sources: JVNDB: JVNDB-2021-014637

DESCRIPTION

Delta Electronics DIALink versions 1.2.4.0 and prior insecurely loads libraries, which may allow an attacker to use DLL hijacking and takeover the system where the software is installed. Delta Electronics DIALink Exists in a vulnerability in an element of an uncontrolled search path.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. DIALink is a device networking platform launched by Delta Electronics, which can effectively manage CNC machine tools and PLC control machines, collect field device data and connect with the upper management platform through a unified interface, and provide visual information to reflect process parameters and equipment work. DIALink 1.2.4.0 and earlier have security vulnerabilities. The vulnerability stems from an affected product loading a library insecurely

Trust: 2.16

sources: NVD: CVE-2021-38416 // JVNDB: JVNDB-2021-014637 // CNVD: CNVD-2021-84834

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-84834

AFFECTED PRODUCTS

vendor:	deltaww	model:	dialink	scope:	lte	version:	1.2.4.0	Trust: 1.0
vendor:	delta	model:	dialink	scope:	eq	version:	-	Trust: 0.8
vendor:	delta	model:	dialink	scope:	lte	version:	1.2.4.0 and earlier	Trust: 0.8
vendor:	delta	model:	electronics dialink	scope:	lte	version:	<=1.2.4.0	Trust: 0.6

sources: CNVD: CNVD-2021-84834 // JVNDB: JVNDB-2021-014637 // NVD: CVE-2021-38416

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-38416
value:	HIGH
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-38416
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-38416
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-84834
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202110-1525
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2021-38416
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-84834
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-38416
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-014637
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-84834 // JVNDB: JVNDB-2021-014637 // CNNVD: CNNVD-202110-1525 // NVD: CVE-2021-38416 // NVD: CVE-2021-38416

PROBLEMTYPE DATA

problemtype:	CWE-427	Trust: 1.0
problemtype:	Uncontrolled search path elements (CWE-427) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-014637 // NVD: CVE-2021-38416

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202110-1525

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202110-1525

PATCH

title:

Top Page

url:

https://www.deltaww.com/en-US/index

Trust: 0.8

sources: JVNDB: JVNDB-2021-014637

EXTERNAL IDS

db:	NVD	id:	CVE-2021-38416	Trust: 3.8
db:	ICS CERT	id:	ICSA-21-294-02	Trust: 3.0
db:	JVN	id:	JVNVU94767496	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-014637	Trust: 0.8
db:	CNVD	id:	CNVD-2021-84834	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3528	Trust: 0.6
db:	CS-HELP	id:	SB2021102209	Trust: 0.6
db:	CNNVD	id:	CNNVD-202110-1525	Trust: 0.6

sources: CNVD: CNVD-2021-84834 // JVNDB: JVNDB-2021-014637 // CNNVD: CNNVD-202110-1525 // NVD: CVE-2021-38416

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02	Trust: 2.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-38416	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu94767496/	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-294-02	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021102209	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3528	Trust: 0.6

sources: CNVD: CNVD-2021-84834 // JVNDB: JVNDB-2021-014637 // CNNVD: CNNVD-202110-1525 // NVD: CVE-2021-38416

CREDITS

Michael Heinzl reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202110-1525

SOURCES

db:	CNVD	id:	CNVD-2021-84834
db:	JVNDB	id:	JVNDB-2021-014637
db:	CNNVD	id:	CNNVD-202110-1525
db:	NVD	id:	CVE-2021-38416

LAST UPDATE DATE

2024-08-14T13:53:47.644000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-84834	date:	2022-01-18T00:00:00
db:	JVNDB	id:	JVNDB-2021-014637	date:	2022-10-21T07:58:00
db:	CNNVD	id:	CNNVD-202110-1525	date:	2021-11-11T00:00:00
db:	NVD	id:	CVE-2021-38416	date:	2021-11-05T15:28:37.760

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-84834	date:	2021-11-08T00:00:00
db:	JVNDB	id:	JVNDB-2021-014637	date:	2022-10-21T00:00:00
db:	CNNVD	id:	CNNVD-202110-1525	date:	2021-10-21T00:00:00
db:	NVD	id:	CVE-2021-38416	date:	2021-11-03T20:15:08.597