Details of VAR-202108-1585

ID

VAR-202108-1585

CVE

CVE-2021-38543

TITLE

TP-Link UE330 USB Vulnerabilities in splitter devices

Trust: 0.8

sources: JVNDB: JVNDB-2021-010856

DESCRIPTION

TP-Link UE330 USB splitter devices through 2021-08-09, in certain specific use cases in which the device supplies power to audio-output equipment, allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. We assume that the USB splitter supplies power to some speakers. The power indicator LED of the USB splitter is connected directly to the power line, as a result, the intensity of the USB splitter's power indicator LED is correlative to its power consumption. The sound played by the connected speakers affects the USB splitter's power consumption and as a result is also correlative to the light intensity of the LED. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LED of the USB splitter, we can recover the sound played by the connected speakers. The TP-Link UE330 USB is a ported USB 3.0 hub

Trust: 2.25

sources: NVD: CVE-2021-38543 // JVNDB: JVNDB-2021-010856 // CNVD: CNVD-2022-21172 // VULMON: CVE-2021-38543

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-21172

AFFECTED PRODUCTS

vendor:	tp link	model:	ue330	scope:	lte	version:	2021-08-09	Trust: 1.0
vendor:	tp link	model:	ue330	scope:	eq	version:	-	Trust: 0.8
vendor:	tp link	model:	ue330	scope:	eq	version:	ue330 firmware 2021/08/09 to	Trust: 0.8
vendor:	tp link	model:	ue330 usb	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2022-21172 // JVNDB: JVNDB-2021-010856 // NVD: CVE-2021-38543

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-38543
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-38543
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2022-21172
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-1090
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2021-38543
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-38543
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2022-21172
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-38543
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-38543
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-21172 // VULMON: CVE-2021-38543 // JVNDB: JVNDB-2021-010856 // CNNVD: CNNVD-202108-1090 // NVD: CVE-2021-38543

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-010856 // NVD: CVE-2021-38543

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-1090

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202108-1090

PATCH

title:	top page	url:	https://www.tp-link.com/jp/	Trust: 0.8
title:	Patch for TP-Link UE330 USB Information Disclosure Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/326741	Trust: 0.6
title:	TP-Link UE330 USB Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=159557	Trust: 0.6

sources: CNVD: CNVD-2022-21172 // JVNDB: JVNDB-2021-010856 // CNNVD: CNNVD-202108-1090

EXTERNAL IDS

db:	NVD	id:	CVE-2021-38543	Trust: 3.9
db:	JVNDB	id:	JVNDB-2021-010856	Trust: 0.8
db:	CNVD	id:	CNVD-2022-21172	Trust: 0.6
db:	CNNVD	id:	CNNVD-202108-1090	Trust: 0.6
db:	VULMON	id:	CVE-2021-38543	Trust: 0.1

sources: CNVD: CNVD-2022-21172 // VULMON: CVE-2021-38543 // JVNDB: JVNDB-2021-010856 // CNNVD: CNNVD-202108-1090 // NVD: CVE-2021-38543

REFERENCES

url:	https://www.nassiben.com/glowworm-attack	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-38543	Trust: 1.4
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2022-21172 // VULMON: CVE-2021-38543 // JVNDB: JVNDB-2021-010856 // CNNVD: CNNVD-202108-1090 // NVD: CVE-2021-38543

SOURCES

db:	CNVD	id:	CNVD-2022-21172
db:	VULMON	id:	CVE-2021-38543
db:	JVNDB	id:	JVNDB-2021-010856
db:	CNNVD	id:	CNNVD-202108-1090
db:	NVD	id:	CVE-2021-38543

LAST UPDATE DATE

2024-08-14T13:23:27.462000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-21172	date:	2022-03-21T00:00:00
db:	VULMON	id:	CVE-2021-38543	date:	2021-08-23T00:00:00
db:	JVNDB	id:	JVNDB-2021-010856	date:	2022-07-11T02:07:00
db:	CNNVD	id:	CNNVD-202108-1090	date:	2021-08-24T00:00:00
db:	NVD	id:	CVE-2021-38543	date:	2021-08-23T16:56:23.440

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-21172	date:	2022-03-21T00:00:00
db:	VULMON	id:	CVE-2021-38543	date:	2021-08-11T00:00:00
db:	JVNDB	id:	JVNDB-2021-010856	date:	2022-07-11T00:00:00
db:	CNNVD	id:	CNNVD-202108-1090	date:	2021-08-11T00:00:00
db:	NVD	id:	CVE-2021-38543	date:	2021-08-11T16:15:07.210