Details of VAR-202111-0346

ID

VAR-202111-0346

CVE

CVE-2021-38424

TITLE

Delta Electronics DIALink In CSV Vulnerability in neutralizing math elements in files

Trust: 0.8

sources: JVNDB: JVNDB-2021-014641

DESCRIPTION

The tag interface of Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to an attacker injecting formulas into the tag data. Those formulas may then be executed when it is opened with a spreadsheet application. Delta Electronics DIALink for, CSV A vulnerability exists regarding the neutralization of formula elements in files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. DIALink is a device networking platform launched by Delta Electronics, which can effectively manage CNC machine tools and PLC control machines, collect field device data and connect with the upper management platform through a unified interface, and provide visual information to reflect process parameters and equipment work. DIALink 1.2.4.0 and earlier have security vulnerabilities. An attacker can exploit this vulnerability to inject formulas into label data and execute them

Trust: 2.16

sources: NVD: CVE-2021-38424 // JVNDB: JVNDB-2021-014641 // CNVD: CNVD-2021-84835

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-84835

AFFECTED PRODUCTS

vendor:	deltaww	model:	dialink	scope:	lte	version:	1.2.4.0	Trust: 1.0
vendor:	delta	model:	dialink	scope:	eq	version:	-	Trust: 0.8
vendor:	delta	model:	dialink	scope:	lte	version:	1.2.4.0 and earlier	Trust: 0.8
vendor:	delta	model:	electronics dialink	scope:	lte	version:	<=1.2.4.0	Trust: 0.6

sources: CNVD: CNVD-2021-84835 // JVNDB: JVNDB-2021-014641 // NVD: CVE-2021-38424

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-38424
value:	HIGH
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-38424
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-38424
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-84835
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202110-1530
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2021-38424
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-84835
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-38424
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-38424
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	1.7
impactScore:	3.7
version:	3.1
Trust: 1.0
NVD:	CVE-2021-38424
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-84835 // JVNDB: JVNDB-2021-014641 // CNNVD: CNNVD-202110-1530 // NVD: CVE-2021-38424 // NVD: CVE-2021-38424

PROBLEMTYPE DATA

problemtype:	CWE-1236	Trust: 1.0
problemtype:	CSV Improper neutralization of math elements in the file (CWE-1236) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-014641 // NVD: CVE-2021-38424

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202110-1530

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202110-1530

PATCH

title:

Top Page

url:

https://www.deltaww.com/en-US/index

Trust: 0.8

sources: JVNDB: JVNDB-2021-014641

EXTERNAL IDS

db:	NVD	id:	CVE-2021-38424	Trust: 3.8
db:	ICS CERT	id:	ICSA-21-294-02	Trust: 3.0
db:	JVN	id:	JVNVU94767496	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-014641	Trust: 0.8
db:	CNVD	id:	CNVD-2021-84835	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3528	Trust: 0.6
db:	CS-HELP	id:	SB2021102209	Trust: 0.6
db:	CNNVD	id:	CNNVD-202110-1530	Trust: 0.6

sources: CNVD: CNVD-2021-84835 // JVNDB: JVNDB-2021-014641 // CNNVD: CNNVD-202110-1530 // NVD: CVE-2021-38424

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02	Trust: 2.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-38424	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu94767496/	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-294-02	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021102209	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3528	Trust: 0.6

sources: CNVD: CNVD-2021-84835 // JVNDB: JVNDB-2021-014641 // CNNVD: CNNVD-202110-1530 // NVD: CVE-2021-38424

CREDITS

Michael Heinzl reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202110-1530

SOURCES

db:	CNVD	id:	CNVD-2021-84835
db:	JVNDB	id:	JVNDB-2021-014641
db:	CNNVD	id:	CNNVD-202110-1530
db:	NVD	id:	CVE-2021-38424

LAST UPDATE DATE

2024-08-14T13:53:47.785000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-84835	date:	2022-01-18T00:00:00
db:	JVNDB	id:	JVNDB-2021-014641	date:	2022-10-21T07:58:00
db:	CNNVD	id:	CNNVD-202110-1530	date:	2021-11-16T00:00:00
db:	NVD	id:	CVE-2021-38424	date:	2021-11-05T16:21:45.980

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-84835	date:	2021-11-08T00:00:00
db:	JVNDB	id:	JVNDB-2021-014641	date:	2022-10-21T00:00:00
db:	CNNVD	id:	CNNVD-202110-1530	date:	2021-10-21T00:00:00
db:	NVD	id:	CVE-2021-38424	date:	2021-11-03T20:15:08.827