Details of VAR-202110-0958

ID

VAR-202110-0958

CVE

CVE-2021-38480

TITLE

IR615 Router cross-site request forgery vulnerability

Trust: 1.2

sources: CNVD: CNVD-2021-82953 // CNNVD: CNNVD-202110-400

DESCRIPTION

InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to cross-site request forgery when unauthorized commands are submitted from a user the web application trusts. This may allow an attacker to remotely perform actions on the router’s management portal, such as making configuration changes, changing administrator credentials, and running system commands on the router. (DoS) It may be in a state. Ruimu Technology IR615 Router is a 4G industrial router of China Ruimu Technology Company. IR615 Router has a cross-site request forgery vulnerability

Trust: 2.25

sources: NVD: CVE-2021-38480 // JVNDB: JVNDB-2021-013890 // CNVD: CNVD-2021-82953 // VULMON: CVE-2021-38480

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-82953

AFFECTED PRODUCTS

vendor:	inhandnetworks	model:	ir615	scope:	eq	version:	2.3.0.r4724	Trust: 1.0
vendor:	inhandnetworks	model:	ir615	scope:	eq	version:	2.3.0.r4870	Trust: 1.0
vendor:	inhand	model:	ir615	scope:	eq	version:	ir615 firmware 2.3.0.r4724	Trust: 0.8
vendor:	inhand	model:	ir615	scope:	eq	version:	ir615 firmware 2.3.0.r4870	Trust: 0.8
vendor:	inhand	model:	ir615	scope:	eq	version:	-	Trust: 0.8
vendor:	ruimu	model:	ir615 router 2.3.0.r4724	scope:	-	version:	-	Trust: 0.6
vendor:	ruimu	model:	ir615 router 2.3.0.r4870	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2021-82953 // JVNDB: JVNDB-2021-013890 // NVD: CVE-2021-38480

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-38480
value:	HIGH
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-38480
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-38480
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-82953
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202110-400
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-38480
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-38480
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-82953
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-38480
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-38480
baseSeverity:	CRITICAL
baseScore:	9.6
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2021-38480
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-82953 // VULMON: CVE-2021-38480 // JVNDB: JVNDB-2021-013890 // CNNVD: CNNVD-202110-400 // NVD: CVE-2021-38480 // NVD: CVE-2021-38480

PROBLEMTYPE DATA

problemtype:	CWE-352	Trust: 1.0
problemtype:	Cross-site request forgery (CWE-352) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-013890 // NVD: CVE-2021-38480

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-400

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202110-400

PATCH

title:	Top Page	url:	https://www.inhandnetworks.com/	Trust: 0.8
title:	IR615 Router Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=167811	Trust: 0.6

sources: JVNDB: JVNDB-2021-013890 // CNNVD: CNNVD-202110-400

EXTERNAL IDS

db:	NVD	id:	CVE-2021-38480	Trust: 3.9
db:	ICS CERT	id:	ICSA-21-280-05	Trust: 3.1
db:	JVN	id:	JVNVU94119363	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-013890	Trust: 0.8
db:	CNVD	id:	CNVD-2021-82953	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3346	Trust: 0.6
db:	CS-HELP	id:	SB2021100808	Trust: 0.6
db:	CNNVD	id:	CNNVD-202110-400	Trust: 0.6
db:	VULMON	id:	CVE-2021-38480	Trust: 0.1

sources: CNVD: CNVD-2021-82953 // VULMON: CVE-2021-38480 // JVNDB: JVNDB-2021-013890 // CNNVD: CNNVD-202110-400 // NVD: CVE-2021-38480

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05	Trust: 2.9
url:	https://nvd.nist.gov/vuln/detail/cve-2021-38480	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu94119363/index.html	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-280-05	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.3346	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021100808	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/352.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-82953 // VULMON: CVE-2021-38480 // JVNDB: JVNDB-2021-013890 // CNNVD: CNNVD-202110-400 // NVD: CVE-2021-38480

CREDITS

Ofir Manzur, and Nikolay Sokolik of OTORIO reported these vulnerabilities to CISA., Hay Mizrachi,Haviv Vaizman, Alik Koldobsky

Trust: 0.6

sources: CNNVD: CNNVD-202110-400

SOURCES

db:	CNVD	id:	CNVD-2021-82953
db:	VULMON	id:	CVE-2021-38480
db:	JVNDB	id:	JVNDB-2021-013890
db:	CNNVD	id:	CNNVD-202110-400
db:	NVD	id:	CVE-2021-38480

LAST UPDATE DATE

2024-08-14T13:43:17.761000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-82953	date:	2021-11-03T00:00:00
db:	VULMON	id:	CVE-2021-38480	date:	2021-10-22T00:00:00
db:	JVNDB	id:	JVNDB-2021-013890	date:	2022-09-29T06:09:00
db:	CNNVD	id:	CNNVD-202110-400	date:	2021-10-29T00:00:00
db:	NVD	id:	CVE-2021-38480	date:	2021-10-22T16:18:22.277

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-82953	date:	2021-10-12T00:00:00
db:	VULMON	id:	CVE-2021-38480	date:	2021-10-19T00:00:00
db:	JVNDB	id:	JVNDB-2021-013890	date:	2022-09-29T00:00:00
db:	CNNVD	id:	CNNVD-202110-400	date:	2021-10-07T00:00:00
db:	NVD	id:	CVE-2021-38480	date:	2021-10-19T13:15:11.347