Use of Uninitialized Variable in CC3200 SimpleLink Solution

#VU60680 Use of Uninitialized Variable in CC3200 SimpleLink Solution

Published: 2022-02-17

Vulnerability identifier: #VU60680

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21966

CWE-ID: CWE-457

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
CC3200 SimpleLink Solution
Hardware solutions / Firmware

Vendor: Texas Instruments

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to use of uninitialized variable in the HTTP Server /ping.html functionality. A remote attacker can send an HTTP request and gain unauthorized access to sensitive information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

CC3200 SimpleLink Solution: 2.9.0.0

External links
http://talosintelligence.com/vulnerability_reports/TALOS-2021-1393

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Sealevel Systems SeaConnect 370W

Information disclosure in Texas Instruments CC3200 SimpleLink Solution