Details of VAR-202210-0241

ID

VAR-202210-0241

CVE

CVE-2021-40556

TITLE

ASUSTeK Computer Inc. of RT-AX56U Out-of-bounds write vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2021-020367

DESCRIPTION

A stack overflow vulnerability exists in the httpd service in ASUS RT-AX56U Router Version 3.0.0.4.386.44266. This vulnerability is caused by the strcat function called by "caupload" input handle function allowing the user to enter 0xFFFF bytes into the stack. This vulnerability allows an attacker to execute commands remotely. The vulnerability requires authentication. ASUSTeK Computer Inc. of RT-AX56U An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ASUS RT-AX56U is a wireless router from China ASUS (ASUS)

Trust: 2.16

sources: NVD: CVE-2021-40556 // JVNDB: JVNDB-2021-020367 // CNVD: CNVD-2022-68280

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-68280

AFFECTED PRODUCTS

vendor:	asus	model:	rt-ax56u	scope:	eq	version:	3.0.0.4.386.44266	Trust: 1.6
vendor:	asustek computer	model:	rt-ax56u	scope:	eq	version:	-	Trust: 0.8
vendor:	asustek computer	model:	rt-ax56u	scope:	eq	version:	rt-ax56u firmware 3.0.0.4.386.44266	Trust: 0.8
vendor:	asustek computer	model:	rt-ax56u	scope:	-	version:	-	Trust: 0.8

sources: CNVD: CNVD-2022-68280 // JVNDB: JVNDB-2021-020367 // NVD: CVE-2021-40556

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-40556
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-40556
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-68280
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202210-245
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2022-68280
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-40556
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-40556
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-68280 // JVNDB: JVNDB-2021-020367 // CNNVD: CNNVD-202210-245 // NVD: CVE-2021-40556

PROBLEMTYPE DATA

problemtype:	CWE-787	Trust: 1.0
problemtype:	Out-of-bounds writing (CWE-787) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-020367 // NVD: CVE-2021-40556

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202210-245

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202210-245

PATCH

title:	Patch for ASUS RT-AX56U Buffer Overflow Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/355496	Trust: 0.6
title:	ASUS RT-AX56U Buffer error vulnerability fix	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=209900	Trust: 0.6

sources: CNVD: CNVD-2022-68280 // CNNVD: CNNVD-202210-245

EXTERNAL IDS

db:	NVD	id:	CVE-2021-40556	Trust: 3.8
db:	JVNDB	id:	JVNDB-2021-020367	Trust: 0.8
db:	CNVD	id:	CNVD-2022-68280	Trust: 0.6
db:	CNNVD	id:	CNNVD-202210-245	Trust: 0.6

sources: CNVD: CNVD-2022-68280 // JVNDB: JVNDB-2021-020367 // CNNVD: CNNVD-202210-245 // NVD: CVE-2021-40556

REFERENCES

url:	https://www.asus.com/tw/networking-iot-servers/wifi-routers/asus-wifi-routers/rt-ax56u/helpdesk_bios/	Trust: 2.4
url:	https://x1ng.top/2021/10/14/asus%e6%a0%88%e6%ba%a2%e5%87%ba%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90/	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2021-40556	Trust: 1.4
url:	https://cxsecurity.com/cveshow/cve-2021-40556/	Trust: 0.6

sources: CNVD: CNVD-2022-68280 // JVNDB: JVNDB-2021-020367 // CNNVD: CNNVD-202210-245 // NVD: CVE-2021-40556

SOURCES

db:	CNVD	id:	CNVD-2022-68280
db:	JVNDB	id:	JVNDB-2021-020367
db:	CNNVD	id:	CNNVD-202210-245
db:	NVD	id:	CVE-2021-40556

LAST UPDATE DATE

2024-08-14T13:42:24.064000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-68280	date:	2022-10-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-020367	date:	2023-10-19T08:32:00
db:	CNNVD	id:	CNNVD-202210-245	date:	2022-10-09T00:00:00
db:	NVD	id:	CVE-2021-40556	date:	2022-10-07T17:39:32.723

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-68280	date:	2022-10-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-020367	date:	2023-10-19T00:00:00
db:	CNNVD	id:	CNNVD-202210-245	date:	2022-10-06T00:00:00
db:	NVD	id:	CVE-2021-40556	date:	2022-10-06T18:15:50.453