Details of VAR-202103-0916

ID

VAR-202103-0916

CVE

CVE-2021-27454

TITLE

plural General Electric Multiple vulnerabilities in the product

Trust: 0.8

sources: JVNDB: JVNDB-2021-001291

DESCRIPTION

The software performs an operation at a privilege level higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses on the Reason DR60 (all firmware versions prior to 02A04.1). General Electric Provided by the company MU320E The following multiple vulnerabilities exist in. * Use hard-coded passwords (CWE-259) - CVE-2021-27452 ‥ * Execution with unnecessary privileges (CWE-250) - CVE-2021-27448 ‥ * Inadequate encryption strength (CWE-326) - CVE-2021-27450General Electric Provided by the company Reason DR60 The following multiple vulnerabilities exist in. * Use hard-coded passwords (CWE-259) - CVE-2021-27440 ‥ * Code injection (CWE-94) - CVE-2021-27438 ‥ * Execution with unnecessary privileges (CWE-250) - CVE-2021-27454The expected impact depends on each vulnerability, but it may be affected as follows. * A remote third party uses hard-coded credentials to control the merging unit - CVE-2021-27452 ‥ * Elevated to privilege by a third party who has access to the device - CVE-2021-27448 ‥ * SSH Insufficient cryptographic strength of the protocol can lead to further improper configuration or use as a springboard for other attacks. - CVE-2021-27450 ‥ * Hard-coded credentials are used by remote third parties to be fraudulently authenticated or communicated with external components. - CVE-2021-27440 ‥ * Malicious input is made by a remote third party to change the syntax or behavior of the code segment. - CVE-2021-27438 ‥ * Because the software operates at an unnecessary privilege level, other vulnerabilities may occur or the effects of other vulnerabilities may increase. - CVE-2021-27454. Reason DR60 is a centralized, integrated multifunctional digital fault recorder (DFR) launched by GE. GE Reason DR60 firmware before 02A04.1 has a permission improper vulnerability. No detailed vulnerability details are currently provided

Trust: 2.25

sources: NVD: CVE-2021-27454 // JVNDB: JVNDB-2021-001291 // CNVD: CNVD-2021-24019 // VULMON: CVE-2021-27454

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-24019

AFFECTED PRODUCTS

vendor:	ge	model:	reason dr60	scope:	lt	version:	02a04.1	Trust: 1.0
vendor:	general electric	model:	mu320e	scope:	-	version:	-	Trust: 0.8
vendor:	general electric	model:	reason dr60	scope:	-	version:	-	Trust: 0.8
vendor:	ge	model:	reason dr60 <02a04.1	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2021-24019 // JVNDB: JVNDB-2021-001291 // NVD: CVE-2021-27454

CVSS

SEVERITY

CVSSV2

CVSSV3

IPA:	JVNDB-2021-001291
value:	HIGH
Trust: 2.4
IPA:	JVNDB-2021-001291
value:	CRITICAL
Trust: 1.6
nvd@nist.gov:	CVE-2021-27454
value:	HIGH
Trust: 1.0
IPA:	JVNDB-2021-001291
value:	LOW
Trust: 0.8
CNVD:	CNVD-2021-24019
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202103-1365
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-27454
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-27454
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2021-24019
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

IPA:	JVNDB-2021-001291
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 1.6
nvd@nist.gov:	CVE-2021-27454
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
IPA:	JVNDB-2021-001291
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
IPA:	JVNDB-2021-001291
baseSeverity:	LOW
baseScore:	3.8
vectorString:	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
IPA:	JVNDB-2021-001291
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
IPA:	JVNDB-2021-001291
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-24019 // VULMON: CVE-2021-27454 // JVNDB: JVNDB-2021-001291 // JVNDB: JVNDB-2021-001291 // JVNDB: JVNDB-2021-001291 // JVNDB: JVNDB-2021-001291 // JVNDB: JVNDB-2021-001291 // JVNDB: JVNDB-2021-001291 // CNNVD: CNNVD-202103-1365 // NVD: CVE-2021-27454

PROBLEMTYPE DATA

problemtype:	CWE-269	Trust: 1.0
problemtype:	CWE-250	Trust: 1.0
problemtype:	Execution with unnecessary privileges (CWE-250) [IPA Evaluation ]	Trust: 0.8
problemtype:	Use hard-coded passwords (CWE-259) [IPA Evaluation ]	Trust: 0.8
problemtype:	Inadequate encryption strength (CWE-326) [IPA Evaluation ]	Trust: 0.8
problemtype:	Code injection (CWE-94) [IPA Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-001291 // NVD: CVE-2021-27454

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202103-1365

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202103-1365

PATCH

title:	GES-2021-002 (Login required) General Electric	url:	https://www.gegridsolutions.com/app/viewfiles.aspx?prod=DR60&type=21	Trust: 0.8
title:	Patch for GE Reason DR60 Improper Permission Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/255301	Trust: 0.6
title:	Grid Solutions GE Reason DR60 Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=145530	Trust: 0.6

sources: CNVD: CNVD-2021-24019 // JVNDB: JVNDB-2021-001291 // CNNVD: CNNVD-202103-1365

EXTERNAL IDS

db:	NVD	id:	CVE-2021-27454	Trust: 3.1
db:	ICS CERT	id:	ICSA-21-082-03	Trust: 3.1
db:	ICS CERT	id:	ICSA-21-082-02	Trust: 0.8
db:	JVN	id:	JVNVU98539192	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-001291	Trust: 0.8
db:	CNVD	id:	CNVD-2021-24019	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1005	Trust: 0.6
db:	CNNVD	id:	CNNVD-202103-1365	Trust: 0.6
db:	VULMON	id:	CVE-2021-27454	Trust: 0.1

sources: CNVD: CNVD-2021-24019 // VULMON: CVE-2021-27454 // JVNDB: JVNDB-2021-001291 // CNNVD: CNNVD-202103-1365 // NVD: CVE-2021-27454

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-082-03	Trust: 3.7
url:	http://jvn.jp/cert/jvnvu98539192	Trust: 0.8
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-082-02	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.1005	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/269.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-24019 // VULMON: CVE-2021-27454 // JVNDB: JVNDB-2021-001291 // CNNVD: CNNVD-202103-1365 // NVD: CVE-2021-27454

SOURCES

db:	CNVD	id:	CNVD-2021-24019
db:	VULMON	id:	CVE-2021-27454
db:	JVNDB	id:	JVNDB-2021-001291
db:	CNNVD	id:	CNNVD-202103-1365
db:	NVD	id:	CVE-2021-27454

LAST UPDATE DATE

2024-11-23T21:50:56.691000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-24019	date:	2021-03-31T00:00:00
db:	VULMON	id:	CVE-2021-27454	date:	2021-03-30T00:00:00
db:	JVNDB	id:	JVNDB-2021-001291	date:	2021-03-25T07:23:00
db:	CNNVD	id:	CNNVD-202103-1365	date:	2021-03-31T00:00:00
db:	NVD	id:	CVE-2021-27454	date:	2024-11-21T05:58:01.307

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-24019	date:	2021-03-31T00:00:00
db:	VULMON	id:	CVE-2021-27454	date:	2021-03-25T00:00:00
db:	JVNDB	id:	JVNDB-2021-001291	date:	2021-03-25T00:00:00
db:	CNNVD	id:	CNNVD-202103-1365	date:	2021-03-23T00:00:00
db:	NVD	id:	CVE-2021-27454	date:	2021-03-25T20:15:13.303