Sign-up

ID

VAR-202109-0219


CVE

CVE-2021-22272


TITLE

ABB Mybuildings Code problem vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202109-1775

DESCRIPTION

The vulnerability origins in the commissioning process where an attacker of the ControlTouch can enter a serial number in a specific way to transfer the device virtually into her/his my.busch-jaeger.de or mybuildings.abb.com profile. A successful attacker can observe and control a ControlTouch remotely under very specific circumstances. The issue is fixed in the cloud side of the system. No firmware update is needed for customer products. If a user wants to understand if (s)he is affected, please read the advisory. This issue affects: ABB and Busch-Jaeger, ControlTouch

Trust: 1.08

sources: NVD: CVE-2021-22272 // VULHUB: VHN-380707 // VULMON: CVE-2021-22272

AFFECTED PRODUCTS

vendor:busch jaegermodel:mybusch-jaegerscope:ltversion:2021-05-03

Trust: 1.0

vendor:abbmodel:mybuildingsscope:ltversion:2021-05-03

Trust: 1.0

sources: NVD: CVE-2021-22272

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-22272
value: CRITICAL

Trust: 1.0

cybersecurity@ch.abb.com: CVE-2021-22272
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202109-1775
value: CRITICAL

Trust: 0.6

VULHUB: VHN-380707
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-22272
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:M/AU:N/C:P/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 9.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-380707
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:M/AU:N/C:P/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 9.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-22272
baseSeverity: CRITICAL
baseScore: 9.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.5
version: 3.1

Trust: 1.0

cybersecurity@ch.abb.com: CVE-2021-22272
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.5
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-380707 // CNNVD: CNNVD-202109-1775 // NVD: CVE-2021-22272 // NVD: CVE-2021-22272

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.0

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2021-22272

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202109-1775

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202109-1775

PATCH

title:ABB Mybuildings Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=165206

Trust: 0.6

sources: CNNVD: CNNVD-202109-1775

EXTERNAL IDS

db:NVDid:CVE-2021-22272

Trust: 1.8

db:CNNVDid:CNNVD-202109-1775

Trust: 0.6

db:VULHUBid:VHN-380707

Trust: 0.1

db:VULMONid:CVE-2021-22272

Trust: 0.1

sources: VULHUB: VHN-380707 // VULMON: CVE-2021-22272 // CNNVD: CNNVD-202109-1775 // NVD: CVE-2021-22272

REFERENCES

url:https://search.abb.com/library/download.aspx?documentid=9akk107992a3688&languagecode=en&documentpartid=&action=launch

Trust: 1.7

url:https://search.abb.com/library/download.aspx?documentid=9akk107992a3688&languagecode=en&documentpartid=&action=launch

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-380707 // VULMON: CVE-2021-22272 // CNNVD: CNNVD-202109-1775 // NVD: CVE-2021-22272

SOURCES

db:VULHUBid:VHN-380707
db:VULMONid:CVE-2021-22272
db:CNNVDid:CNNVD-202109-1775
db:NVDid:CVE-2021-22272

LAST UPDATE DATE

2024-08-14T13:43:24.260000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-380707date:2021-10-08T00:00:00
db:VULMONid:CVE-2021-22272date:2021-09-27T00:00:00
db:CNNVDid:CNNVD-202109-1775date:2021-10-09T00:00:00
db:NVDid:CVE-2021-22272date:2021-10-08T14:16:33.820

SOURCES RELEASE DATE

db:VULHUBid:VHN-380707date:2021-09-27T00:00:00
db:VULMONid:CVE-2021-22272date:2021-09-27T00:00:00
db:CNNVDid:CNNVD-202109-1775date:2021-09-27T00:00:00
db:NVDid:CVE-2021-22272date:2021-09-27T14:15:07.957