Details of VAR-202102-1387

ID

VAR-202102-1387

CVE

CVE-2021-27156

TITLE

FiberHome HG6245D Vulnerability in using hard-coded credentials on devices

Trust: 0.8

sources: JVNDB: JVNDB-2021-003299

DESCRIPTION

An issue was discovered on FiberHome HG6245D devices through RP2613. The web daemon contains credentials for an ISP that equal the last part of the MAC address of the br0 interface. FiberHome HG6245D A device contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. HG6245D is a GPON FTTH router launched by FiberHome. There is a trust management vulnerability in FiberHome HG6245D. The vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use this vulnerability to attack affected components using default passwords or hard-coded passwords, hard-coded certificates, etc

Trust: 2.16

sources: NVD: CVE-2021-27156 // JVNDB: JVNDB-2021-003299 // CNVD: CNVD-2021-13655

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-13655

AFFECTED PRODUCTS

vendor:	fiberhome	model:	hg6245d	scope:	lte	version:	rp2613	Trust: 1.0
vendor:	fiberhome group	model:	hg6245d	scope:	eq	version:	-	Trust: 0.8
vendor:	fiberhome group	model:	hg6245d	scope:	lte	version:	hg6245d firmware rp2613 until	Trust: 0.8
vendor:	fiberhome	model:	hg6245d	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2021-13655 // JVNDB: JVNDB-2021-003299 // NVD: CVE-2021-27156

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-27156
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-27156
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2021-13655
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202102-942
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2021-27156
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-13655
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-27156
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-27156
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-13655 // JVNDB: JVNDB-2021-003299 // CNNVD: CNNVD-202102-942 // NVD: CVE-2021-27156

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.0
problemtype:	Using hardcoded credentials (CWE-798) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-003299 // NVD: CVE-2021-27156

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-942

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202102-942

PATCH

title:	Top Page	url:	http://www.fiberhome.com/default.aspx	Trust: 0.8
title:	Patch for FiberHome HG6245D trust management issue vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/256191	Trust: 0.6
title:	Fiber Repair measures for trust management problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=142274	Trust: 0.6

sources: CNVD: CNVD-2021-13655 // JVNDB: JVNDB-2021-003299 // CNNVD: CNNVD-202102-942

EXTERNAL IDS

db:	NVD	id:	CVE-2021-27156	Trust: 3.0
db:	JVNDB	id:	JVNDB-2021-003299	Trust: 0.8
db:	CNVD	id:	CNVD-2021-13655	Trust: 0.6
db:	CNNVD	id:	CNNVD-202102-942	Trust: 0.6

sources: CNVD: CNVD-2021-13655 // JVNDB: JVNDB-2021-003299 // CNNVD: CNNVD-202102-942 // NVD: CVE-2021-27156

REFERENCES

url:	https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-hardcoded-credentials	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-27156	Trust: 1.4
url:	httpd-hardcoded-credentials	Trust: 0.6
url:	https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#	Trust: 0.6

sources: CNVD: CNVD-2021-13655 // JVNDB: JVNDB-2021-003299 // CNNVD: CNNVD-202102-942 // NVD: CVE-2021-27156

SOURCES

db:	CNVD	id:	CNVD-2021-13655
db:	JVNDB	id:	JVNDB-2021-003299
db:	CNNVD	id:	CNNVD-202102-942
db:	NVD	id:	CVE-2021-27156

LAST UPDATE DATE

2024-11-23T21:51:02.049000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-13655	date:	2021-04-06T00:00:00
db:	JVNDB	id:	JVNDB-2021-003299	date:	2021-10-22T05:08:00
db:	CNNVD	id:	CNNVD-202102-942	date:	2021-03-09T00:00:00
db:	NVD	id:	CVE-2021-27156	date:	2024-11-21T05:57:26.110

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-13655	date:	2021-03-01T00:00:00
db:	JVNDB	id:	JVNDB-2021-003299	date:	2021-10-22T00:00:00
db:	CNNVD	id:	CNNVD-202102-942	date:	2021-02-10T00:00:00
db:	NVD	id:	CVE-2021-27156	date:	2021-02-10T19:15:13.933