Details of VAR-202110-1090

ID

VAR-202110-1090

CVE

CVE-2021-38456

TITLE

Moxa MXview Network Management Vulnerability related to use of hardcoded credentials in software

Trust: 0.8

sources: JVNDB: JVNDB-2021-013656

DESCRIPTION

A use of hard-coded password vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to gain access through accounts using default passwords. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2021-38456 // JVNDB: JVNDB-2021-013656 // VULHUB: VHN-400072

AFFECTED PRODUCTS

vendor:	moxa	model:	mxview	scope:	lte	version:	3.2.2	Trust: 1.0
vendor:	moxa	model:	mxview	scope:	gte	version:	3.0	Trust: 1.0
vendor:	moxa	model:	mxview	scope:	eq	version:	-	Trust: 0.8
vendor:	moxa	model:	mxview	scope:	eq	version:	3.2.2 for up to 3.x	Trust: 0.8

sources: JVNDB: JVNDB-2021-013656 // NVD: CVE-2021-38456

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-38456
value:	CRITICAL
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-38456
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-38456
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202110-234
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-400072
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-38456
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-400072
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-38456
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-013656
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-400072 // JVNDB: JVNDB-2021-013656 // CNNVD: CNNVD-202110-234 // NVD: CVE-2021-38456 // NVD: CVE-2021-38456

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.1
problemtype:	CWE-259	Trust: 1.0
problemtype:	Use hard-coded credentials (CWE-798) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-400072 // JVNDB: JVNDB-2021-013656 // NVD: CVE-2021-38456

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-234

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202110-234

PATCH

title:	MXview Series	url:	https://www.moxa.com/en/support/product-support/software-and-documentation/search?psid=53389	Trust: 0.8
title:	Moxa Mxview Network Management Software Repair measures for trust management problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=167805	Trust: 0.6

sources: JVNDB: JVNDB-2021-013656 // CNNVD: CNNVD-202110-234

EXTERNAL IDS

db:	NVD	id:	CVE-2021-38456	Trust: 3.3
db:	ICS CERT	id:	ICSA-21-278-03	Trust: 2.5
db:	JVN	id:	JVNVU91384521	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-013656	Trust: 0.8
db:	AUSCERT	id:	ESB-2021.3307	Trust: 0.6
db:	CS-HELP	id:	SB2021100607	Trust: 0.6
db:	CNNVD	id:	CNNVD-202110-234	Trust: 0.6
db:	VULHUB	id:	VHN-400072	Trust: 0.1

sources: VULHUB: VHN-400072 // JVNDB: JVNDB-2021-013656 // CNNVD: CNNVD-202110-234 // NVD: CVE-2021-38456

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-278-03	Trust: 3.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-38456	Trust: 1.4
url:	http://jvn.jp/vu/jvnvu91384521/index.html	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021100607	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3307	Trust: 0.6

sources: VULHUB: VHN-400072 // JVNDB: JVNDB-2021-013656 // CNNVD: CNNVD-202110-234 // NVD: CVE-2021-38456

CREDITS

Noam Moshe from Claroty reported these vulnerabilities to Moxa.

Trust: 0.6

sources: CNNVD: CNNVD-202110-234

SOURCES

db:	VULHUB	id:	VHN-400072
db:	JVNDB	id:	JVNDB-2021-013656
db:	CNNVD	id:	CNNVD-202110-234
db:	NVD	id:	CVE-2021-38456

LAST UPDATE DATE

2024-08-14T13:23:20.523000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-400072	date:	2022-04-25T00:00:00
db:	JVNDB	id:	JVNDB-2021-013656	date:	2022-09-21T02:55:00
db:	CNNVD	id:	CNNVD-202110-234	date:	2021-10-29T00:00:00
db:	NVD	id:	CVE-2021-38456	date:	2022-04-25T18:00:49.470

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-400072	date:	2021-10-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-013656	date:	2022-09-21T00:00:00
db:	CNNVD	id:	CNNVD-202110-234	date:	2021-10-05T00:00:00
db:	NVD	id:	CVE-2021-38456	date:	2021-10-12T14:15:08.503