Details of VAR-202110-0960

ID

VAR-202110-0960

CVE

CVE-2021-38474

TITLE

InHand Networks IR615 Router Vulnerability in improperly limiting excessive authentication attempts in

Trust: 0.8

sources: JVNDB: JVNDB-2021-013893

DESCRIPTION

InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have has no account lockout policy configured for the login page of the product. This may allow an attacker to execute a brute-force password attack with no time limitation and without harming the normal operation of the user. This could allow an attacker to gain valid credentials for the product interface. InHand Networks IR615 Router Is vulnerable to improper restrictions on excessive authentication attempts.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Ruimu Technology IR615 Router is a 4G industrial router of China Ruimu Technology Company

Trust: 2.25

sources: NVD: CVE-2021-38474 // JVNDB: JVNDB-2021-013893 // CNVD: CNVD-2021-82951 // VULMON: CVE-2021-38474

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-82951

AFFECTED PRODUCTS

vendor:	inhandnetworks	model:	ir615	scope:	eq	version:	2.3.0.r4724	Trust: 1.0
vendor:	inhandnetworks	model:	ir615	scope:	eq	version:	2.3.0.r4870	Trust: 1.0
vendor:	inhand	model:	ir615	scope:	eq	version:	ir615 firmware 2.3.0.r4724	Trust: 0.8
vendor:	inhand	model:	ir615	scope:	eq	version:	ir615 firmware 2.3.0.r4870	Trust: 0.8
vendor:	inhand	model:	ir615	scope:	eq	version:	-	Trust: 0.8
vendor:	ruimu	model:	ir615 router 2.3.0.r4724	scope:	-	version:	-	Trust: 0.6
vendor:	ruimu	model:	ir615 router 2.3.0.r4870	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2021-82951 // JVNDB: JVNDB-2021-013893 // NVD: CVE-2021-38474

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-38474
value:	CRITICAL
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-38474
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-38474
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2021-82951
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202110-398
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2021-38474
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-38474
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-82951
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-38474
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-38474
baseSeverity:	MEDIUM
baseScore:	6.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	3.4
version:	3.1
Trust: 1.0
NVD:	CVE-2021-38474
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-82951 // VULMON: CVE-2021-38474 // JVNDB: JVNDB-2021-013893 // CNNVD: CNNVD-202110-398 // NVD: CVE-2021-38474 // NVD: CVE-2021-38474

PROBLEMTYPE DATA

problemtype:	CWE-307	Trust: 1.0
problemtype:	Inappropriate limitation of excessive authentication attempts (CWE-307) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-013893 // NVD: CVE-2021-38474

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-398

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202110-398

PATCH

title:	Top Page	url:	https://www.inhandnetworks.com/	Trust: 0.8
title:	IR615 Router Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=167810	Trust: 0.6

sources: JVNDB: JVNDB-2021-013893 // CNNVD: CNNVD-202110-398

EXTERNAL IDS

db:	NVD	id:	CVE-2021-38474	Trust: 3.9
db:	ICS CERT	id:	ICSA-21-280-05	Trust: 3.1
db:	JVN	id:	JVNVU94119363	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-013893	Trust: 0.8
db:	CNVD	id:	CNVD-2021-82951	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3346	Trust: 0.6
db:	CS-HELP	id:	SB2021100808	Trust: 0.6
db:	CNNVD	id:	CNNVD-202110-398	Trust: 0.6
db:	VULMON	id:	CVE-2021-38474	Trust: 0.1

sources: CNVD: CNVD-2021-82951 // VULMON: CVE-2021-38474 // JVNDB: JVNDB-2021-013893 // CNNVD: CNNVD-202110-398 // NVD: CVE-2021-38474

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05	Trust: 2.9
url:	https://nvd.nist.gov/vuln/detail/cve-2021-38474	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu94119363/index.html	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-280-05	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.3346	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021100808	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/307.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-82951 // VULMON: CVE-2021-38474 // JVNDB: JVNDB-2021-013893 // CNNVD: CNNVD-202110-398 // NVD: CVE-2021-38474

CREDITS

Ofir Manzur, and Nikolay Sokolik of OTORIO reported these vulnerabilities to CISA., Hay Mizrachi,Haviv Vaizman, Alik Koldobsky

Trust: 0.6

sources: CNNVD: CNNVD-202110-398

SOURCES

db:	CNVD	id:	CNVD-2021-82951
db:	VULMON	id:	CVE-2021-38474
db:	JVNDB	id:	JVNDB-2021-013893
db:	CNNVD	id:	CNNVD-202110-398
db:	NVD	id:	CVE-2021-38474

LAST UPDATE DATE

2024-08-14T13:43:17.952000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-82951	date:	2021-11-03T00:00:00
db:	VULMON	id:	CVE-2021-38474	date:	2021-10-22T00:00:00
db:	JVNDB	id:	JVNDB-2021-013893	date:	2022-09-29T06:16:00
db:	CNNVD	id:	CNNVD-202110-398	date:	2021-10-29T00:00:00
db:	NVD	id:	CVE-2021-38474	date:	2021-10-22T14:47:31.103

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-82951	date:	2021-10-12T00:00:00
db:	VULMON	id:	CVE-2021-38474	date:	2021-10-19T00:00:00
db:	JVNDB	id:	JVNDB-2021-013893	date:	2022-09-29T00:00:00
db:	CNNVD	id:	CNNVD-202110-398	date:	2021-10-07T00:00:00
db:	NVD	id:	CVE-2021-38474	date:	2021-10-19T13:15:11.177