Details of VAR-202103-0911

ID

VAR-202103-0911

CVE

CVE-2021-27438

TITLE

GE Reason DR60 code injection vulnerability

Trust: 0.6

sources: CNVD: CNVD-2021-24020

DESCRIPTION

The software contains a hard-coded password it uses for its own inbound authentication or for outbound communication to external components on the Reason DR60 (all firmware versions prior to 02A04.1). Reason DR60 is a centralized, integrated multifunctional digital fault recorder (DFR) launched by GE. GE Reason DR60 firmware before 02A04.1 has a code injection vulnerability. The vulnerability stems from the fact that the software uses externally-influenced input from upstream components to construct all or part of the code segment, but does not neutralize or incorrectly neutralize special elements that may modify the syntax or behavior of the expected code segment. Attackers can use this vulnerability to inject code

Trust: 1.53

sources: NVD: CVE-2021-27438 // CNVD: CNVD-2021-24020 // VULMON: CVE-2021-27438

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-24020

AFFECTED PRODUCTS

vendor:	ge	model:	reason dr60	scope:	lt	version:	02a04.1	Trust: 1.0
vendor:	ge	model:	reason dr60 <02a04.1	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2021-24020 // NVD: CVE-2021-27438

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-27438
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2021-24020
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202103-1366
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-27438
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-27438
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2021-24020
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-27438
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2021-24020 // VULMON: CVE-2021-27438 // CNNVD: CNNVD-202103-1366 // NVD: CVE-2021-27438

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.0
problemtype:	CWE-94	Trust: 1.0

sources: NVD: CVE-2021-27438

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202103-1366

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202103-1366

PATCH

title:	Patch for GE Reason DR60 code injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/255306	Trust: 0.6
title:	Grid Solutions GE Reason DR60 Fixes for code injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=145531	Trust: 0.6

sources: CNVD: CNVD-2021-24020 // CNNVD: CNNVD-202103-1366

EXTERNAL IDS

db:	NVD	id:	CVE-2021-27438	Trust: 2.3
db:	ICS CERT	id:	ICSA-21-082-03	Trust: 2.3
db:	CNVD	id:	CNVD-2021-24020	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1005	Trust: 0.6
db:	CNNVD	id:	CNNVD-202103-1366	Trust: 0.6
db:	VULMON	id:	CVE-2021-27438	Trust: 0.1

sources: CNVD: CNVD-2021-24020 // VULMON: CVE-2021-27438 // CNNVD: CNNVD-202103-1366 // NVD: CVE-2021-27438

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-082-03	Trust: 2.9
url:	https://www.auscert.org.au/bulletins/esb-2021.1005	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/798.html	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/94.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/198639	Trust: 0.1

sources: CNVD: CNVD-2021-24020 // VULMON: CVE-2021-27438 // CNNVD: CNNVD-202103-1366 // NVD: CVE-2021-27438

SOURCES

db:	CNVD	id:	CNVD-2021-24020
db:	VULMON	id:	CVE-2021-27438
db:	CNNVD	id:	CNNVD-202103-1366
db:	NVD	id:	CVE-2021-27438

LAST UPDATE DATE

2024-11-23T21:50:56.795000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-24020	date:	2021-03-31T00:00:00
db:	VULMON	id:	CVE-2021-27438	date:	2021-03-30T00:00:00
db:	CNNVD	id:	CNNVD-202103-1366	date:	2022-08-01T00:00:00
db:	NVD	id:	CVE-2021-27438	date:	2024-11-21T05:57:59.470

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-24020	date:	2021-03-31T00:00:00
db:	VULMON	id:	CVE-2021-27438	date:	2021-03-25T00:00:00
db:	CNNVD	id:	CNNVD-202103-1366	date:	2021-03-23T00:00:00
db:	NVD	id:	CVE-2021-27438	date:	2021-03-25T20:15:12.897