Details of VAR-202110-0955

ID

VAR-202110-0955

CVE

CVE-2021-38486

TITLE

InHand Networks IR615 Router Authorization vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2021-013885

DESCRIPTION

InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 cloud portal allows for self-registration of the affected product without any requirements to create an account, which may allow an attacker to have full control over the product and execute code within the internal network to which the product is connected. InHand Networks IR615 Router Exists in an authorization vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Ruimu Technology IR615 Router is a 4G industrial router of China Ruimu Technology Company

Trust: 2.25

sources: NVD: CVE-2021-38486 // JVNDB: JVNDB-2021-013885 // CNVD: CNVD-2021-82954 // VULMON: CVE-2021-38486

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-82954

AFFECTED PRODUCTS

vendor:	inhandnetworks	model:	ir615	scope:	eq	version:	2.3.0.r4724	Trust: 1.0
vendor:	inhandnetworks	model:	ir615	scope:	eq	version:	2.3.0.r4870	Trust: 1.0
vendor:	inhand	model:	ir615	scope:	eq	version:	ir615 firmware 2.3.0.r4724	Trust: 0.8
vendor:	inhand	model:	ir615	scope:	eq	version:	ir615 firmware 2.3.0.r4870	Trust: 0.8
vendor:	inhand	model:	ir615	scope:	eq	version:	-	Trust: 0.8
vendor:	ruimu	model:	ir615 router 2.3.0.r4724	scope:	-	version:	-	Trust: 0.6
vendor:	ruimu	model:	ir615 router 2.3.0.r4870	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2021-82954 // JVNDB: JVNDB-2021-013885 // NVD: CVE-2021-38486

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-38486
value:	HIGH
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-38486
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-38486
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-82954
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202110-401
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-38486
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-38486
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-82954
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-38486
baseSeverity:	HIGH
baseScore:	8.5
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	6.0
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-38486
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.3
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2021-38486
baseSeverity:	HIGH
baseScore:	8.5
vectorString:	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-82954 // VULMON: CVE-2021-38486 // JVNDB: JVNDB-2021-013885 // CNNVD: CNNVD-202110-401 // NVD: CVE-2021-38486 // NVD: CVE-2021-38486

PROBLEMTYPE DATA

problemtype:	CWE-862	Trust: 1.0
problemtype:	CWE-285	Trust: 1.0
problemtype:	Inappropriate authorization (CWE-285) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-013885 // NVD: CVE-2021-38486

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-401

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202110-401

PATCH

title:	Top Page	url:	https://www.inhandnetworks.com/	Trust: 0.8
title:	IR615 Router Remediation measures for authorization problem vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=167081	Trust: 0.6

sources: JVNDB: JVNDB-2021-013885 // CNNVD: CNNVD-202110-401

EXTERNAL IDS

db:	NVD	id:	CVE-2021-38486	Trust: 3.9
db:	ICS CERT	id:	ICSA-21-280-05	Trust: 3.1
db:	JVN	id:	JVNVU94119363	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-013885	Trust: 0.8
db:	CNVD	id:	CNVD-2021-82954	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3346	Trust: 0.6
db:	CS-HELP	id:	SB2021100808	Trust: 0.6
db:	CNNVD	id:	CNNVD-202110-401	Trust: 0.6
db:	VULMON	id:	CVE-2021-38486	Trust: 0.1

sources: CNVD: CNVD-2021-82954 // VULMON: CVE-2021-38486 // JVNDB: JVNDB-2021-013885 // CNNVD: CNNVD-202110-401 // NVD: CVE-2021-38486

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05	Trust: 2.9
url:	https://nvd.nist.gov/vuln/detail/cve-2021-38486	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu94119363/index.html	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-280-05	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.3346	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021100808	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/285.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-82954 // VULMON: CVE-2021-38486 // JVNDB: JVNDB-2021-013885 // CNNVD: CNNVD-202110-401 // NVD: CVE-2021-38486

CREDITS

Ofir Manzur, and Nikolay Sokolik of OTORIO reported these vulnerabilities to CISA., Hay Mizrachi,Haviv Vaizman, Alik Koldobsky

Trust: 0.6

sources: CNNVD: CNNVD-202110-401

SOURCES

db:	CNVD	id:	CNVD-2021-82954
db:	VULMON	id:	CVE-2021-38486
db:	JVNDB	id:	JVNDB-2021-013885
db:	CNNVD	id:	CNNVD-202110-401
db:	NVD	id:	CVE-2021-38486

LAST UPDATE DATE

2024-08-14T13:43:17.727000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-82954	date:	2021-11-03T00:00:00
db:	VULMON	id:	CVE-2021-38486	date:	2021-10-22T00:00:00
db:	JVNDB	id:	JVNDB-2021-013885	date:	2022-09-29T05:37:00
db:	CNNVD	id:	CNNVD-202110-401	date:	2022-10-28T00:00:00
db:	NVD	id:	CVE-2021-38486	date:	2022-10-27T13:04:59.800

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-82954	date:	2021-10-12T00:00:00
db:	VULMON	id:	CVE-2021-38486	date:	2021-10-19T00:00:00
db:	JVNDB	id:	JVNDB-2021-013885	date:	2022-09-29T00:00:00
db:	CNNVD	id:	CNNVD-202110-401	date:	2021-10-07T00:00:00
db:	NVD	id:	CVE-2021-38486	date:	2021-10-19T13:15:11.510