Lucene search

[email protected]NVD:CVE-2021-20826

HistoryDec 24, 2021 - 7:15 a.m.

CVE-2021-20826

2021-12-2407:15:06

CWE-522

[email protected]

web.nvd.nist.gov

transport vulnerability

idec plcs

credentials

web server access

manipulation

suspension.

CVSS2

3.3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:A/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.6

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

EPSS

0.001

Percentile

34.0%

JSON

Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted.

Affected configurations

Nvd

Node

idecmicrosmart_fc6aMatch-

AND

idecmicrosmart_fc6a_firmwareRange≤2.32

Node

idecmicrosmart_plus_fc6aMatch-

AND

idecmicrosmart_plus_fc6a_firmwareRange≤1.91

Node

idecdata_file_managerRange≤2.12.1

idecwindeditRange≤1.3.1

idecwindldrRange≤8.19.1

VendorProductVersionCPE
idecmicrosmart_fc6a-cpe:2.3:h:idec:microsmart_fc6a:-:*:*:*:*:*:*:*
idecmicrosmart_fc6a_firmware*cpe:2.3:o:idec:microsmart_fc6a_firmware:*:*:*:*:*:*:*:*
idecmicrosmart_plus_fc6a-cpe:2.3:h:idec:microsmart_plus_fc6a:-:*:*:*:*:*:*:*
idecmicrosmart_plus_fc6a_firmware*cpe:2.3:o:idec:microsmart_plus_fc6a_firmware:*:*:*:*:*:*:*:*
idecdata_file_manager*cpe:2.3:a:idec:data_file_manager:*:*:*:*:*:*:*:*
idecwindedit*cpe:2.3:a:idec:windedit:*:*:*:*:*:*:*:*
idecwindldr*cpe:2.3:a:idec:windldr:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
idec	microsmart_fc6a	-	cpe:2.3:h:idec:microsmart_fc6a:-:::::::*
idec	microsmart_fc6a_firmware	*	cpe:2.3:o:idec:microsmart_fc6a_firmware::::::::
idec	microsmart_plus_fc6a	-	cpe:2.3:h:idec:microsmart_plus_fc6a:-:::::::*
idec	microsmart_plus_fc6a_firmware	*	cpe:2.3:o:idec:microsmart_plus_fc6a_firmware::::::::
idec	data_file_manager	*	cpe:2.3:a:idec:data_file_manager::::::::
idec	windedit	*	cpe:2.3:a:idec:windedit::::::::
idec	windldr	*	cpe:2.3:a:idec:windldr::::::::

References

jvn.jp/en/vu/JVNVU92279973/index.html

www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf

CVSS2

3.3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:A/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.6

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

EPSS

0.001

Percentile

34.0%

JSON

Related for NVD:CVE-2021-20826

cve1 prion1 cvelist1 ics1