Risk | High |
Patch available | YES |
Number of vulnerabilities | 3 |
CVE-ID | CVE-2021-27440 CVE-2021-27438 CVE-2021-27454 |
CWE-ID | CWE-259 CWE-94 CWE-250 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Reason DR60 Hardware solutions / Firmware |
Vendor |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
EUVDB-ID: #VU51694
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27440
CWE-ID:
CWE-259 - Use of Hard-coded Password
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. A remote attacker can take full control of the digital fault recorder (DFR).
MitigationInstall updates from vendor's website.
Vulnerable software versionsReason DR60: before 02A04.1
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-082-03
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU51695
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27438
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote authenticated attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsReason DR60: before 02A04.1
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-082-03
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU51696
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27454
CWE-ID:
CWE-250 - Execution with Unnecessary Privileges
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the affected software performs an operation at a privilege level higher than the minimum level required. A local user can gain elevated privileges on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsReason DR60: before 02A04.1
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-082-03
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.