Details of VAR-202111-0006

ID

VAR-202111-0006

CVE

CVE-2021-3774

TITLE

Meross Smart Wi-Fi 2 Way Wall Switch Vulnerability regarding lack of encryption of critical data in

Trust: 0.8

sources: JVNDB: JVNDB-2021-014745

DESCRIPTION

Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X), on its 3.1.3 version and before, creates an open Wi-Fi Access Point without the required security measures in its initial setup. This could allow a remote attacker to obtain the Wi-Fi SSID as well as the password configured by the user from Meross app via Http/JSON plain request

Trust: 1.62

sources: NVD: CVE-2021-3774 // JVNDB: JVNDB-2021-014745

IOT TAXONOMY

category:

['network device']

sub_category:

switch

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:	meross	model:	mss550x	scope:	lte	version:	3.1.3	Trust: 1.0
vendor:	meross	model:	mss550x	scope:	eq	version:	-	Trust: 0.8
vendor:	meross	model:	mss550x	scope:	lte	version:	meross mss550x firmware 3.1.3 and earlier	Trust: 0.8

sources: JVNDB: JVNDB-2021-014745 // NVD: CVE-2021-3774

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-3774
value:	MEDIUM
Trust: 1.0
cve-coordination@incibe.es:	CVE-2021-3774
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-3774
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202111-520
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2021-3774
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2021-3774
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
cve-coordination@incibe.es:	CVE-2021-3774
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	4.0
version:	3.1
Trust: 1.0
NVD:	CVE-2021-3774
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2021-014745 // CNNVD: CNNVD-202111-520 // NVD: CVE-2021-3774 // NVD: CVE-2021-3774

PROBLEMTYPE DATA

problemtype:	CWE-319	Trust: 1.0
problemtype:	Lack of encryption of critical data (CWE-311) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-014745 // NVD: CVE-2021-3774

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-520

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202111-520

PATCH

title:	Top Page	url:	https://meross.com/home	Trust: 0.8
title:	Meross Smart Wi-Fi 2 Way Wall Switch Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=170223	Trust: 0.6

sources: JVNDB: JVNDB-2021-014745 // CNNVD: CNNVD-202111-520

EXTERNAL IDS

db:	NVD	id:	CVE-2021-3774	Trust: 3.3
db:	JVNDB	id:	JVNDB-2021-014745	Trust: 0.8
db:	CNNVD	id:	CNNVD-202111-520	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2021-014745 // CNNVD: CNNVD-202111-520 // NVD: CVE-2021-3774

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2021-3774	Trust: 1.4
url:	https://www.incibe-cert.es/en/early-warning/security-advisories/meross-mss550x-missing-encryption-sensitive-data	Trust: 1.4
url:	https://www.incibe.es/en/incibe-cert/notices/aviso/meross-mss550x-missing-encryption-sensitive-data	Trust: 1.0
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2021-014745 // CNNVD: CNNVD-202111-520 // NVD: CVE-2021-3774

SOURCES

db:	OTHER	id:	-
db:	JVNDB	id:	JVNDB-2021-014745
db:	CNNVD	id:	CNNVD-202111-520
db:	NVD	id:	CVE-2021-3774

LAST UPDATE DATE

2025-01-30T21:22:44.260000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2021-014745	date:	2022-10-27T04:46:00
db:	CNNVD	id:	CNNVD-202111-520	date:	2022-10-28T00:00:00
db:	NVD	id:	CVE-2021-3774	date:	2024-11-21T06:22:23.747

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2021-014745	date:	2022-10-27T00:00:00
db:	CNNVD	id:	CNNVD-202111-520	date:	2021-11-05T00:00:00
db:	NVD	id:	CVE-2021-3774	date:	2021-11-05T21:15:08.480