Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 5 |
CVE-ID | CVE-2021-22646 CVE-2021-22648 CVE-2021-22642 CVE-2021-22640 CVE-2021-22644 |
CWE-ID | CWE-94 CWE-732 CWE-400 CWE-522 CWE-321 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
TBox LT2 Hardware solutions / Firmware TBox RM2 Hardware solutions / Firmware TBox TG2 Hardware solutions / Firmware TBox MS-CPU32 Hardware solutions / Firmware TBox MS-CPU32-S2 Hardware solutions / Firmware TWinSoft Hardware solutions / Firmware |
Vendor | Ovarro |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
EUVDB-ID: #VU51689
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22646
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the "ipk" package. A remote authenticated attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTBox LT2: All versions
TBox RM2: All versions
TBox TG2: All versions
TBox MS-CPU32: before 1.46
TBox MS-CPU32-S2: before 1.46
TWinSoft: before 12.4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-054-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU51690
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22648
CWE-ID:
CWE-732 - Incorrect Permission Assignment for Critical Resource
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to incorrect permission assignment for critical resource within the TBox proprietary Modbus file access functions. A remote authenticated attacker can read, alter or delete the configuration file.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTBox LT2: All versions
TBox RM2: All versions
TBox TG2: All versions
TBox MS-CPU32: before 1.46
TBox MS-CPU32-S2: before 1.46
TWinSoft: before 12.4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-054-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU51691
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22642
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can use specially crafted invalid Modbus frames, trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTBox LT2: All versions
TBox RM2: All versions
TBox TG2: All versions
TBox MS-CPU32: before 1.46
TBox MS-CPU32-S2: before 1.46
TWinSoft: before 12.4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-054-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU51692
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22640
CWE-ID:
CWE-522 - Insufficiently Protected Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insufficiently protected credentials. A remote attacker can decrypt the login password by communication capture and brute force attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTBox LT2: All versions
TBox RM2: All versions
TBox TG2: All versions
TBox MS-CPU32: before 1.46
TBox MS-CPU32-S2: before 1.46
TWinSoft: before 12.4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-054-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU51693
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22644
CWE-ID:
CWE-321 - Use of Hard-coded Cryptographic Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to disclose sensitive information on the target system.
The vulnerability exists due to the TWinSoft uses the custom hardcoded user “TWinSoft” with a hardcoded key. A remote attacker can gain access to sensitive data on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTBox LT2: All versions
TBox RM2: All versions
TBox TG2: All versions
TBox MS-CPU32: before 1.46
TBox MS-CPU32-S2: before 1.46
TWinSoft: before 12.4
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-054-04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.