CVE-2021-23279 - OpenCVE

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Eaton	Intelligent Power Manager Intelligent Power Manager Virtual Appliance Intelligent Power Protector

Configuration 1 [-]

OR	cpe:2.3:a:eaton:intelligent_power_manager::::::::
	cpe:2.3:a:eaton:intelligent_power_manager_virtual_appliance::::::::
	cpe:2.3:a:eaton:intelligent_power_protector::::::::

No data.

References

Link	Providers
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: Eaton

Published: 2021-04-13T18:03:26.395946Z

Updated: 2024-09-16T17:18:54.414Z

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23279

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-04-13T19:15:14.883

Modified: 2021-04-21T15:06:09.213

Link: CVE-2021-23279

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Intelligent Power manager (IPM)", "vendor": "Eaton", "versions": [{"lessThan": "1.69", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Amir Preminger from Claroty research"}], "datePublic": "2021-04-01T00:00:00", "descriptions": [{"lang": "en", "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-13T18:03:26", "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "shortName": "Eaton"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"}], "solutions": [{"lang": "en", "value": "upgrade the software to latest version 1.69"}], "source": {"advisory": "ETN-VA-2021-1000", "defect": ["ETN-VA-2021-1000"], "discovery": "EXTERNAL"}, "title": "Arbitrary File delete", "workarounds": [{"lang": "en", "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 & 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "Improper Input validation", "ASSIGNER": "CybersecurityCOE@eaton.com", "DATE_PUBLIC": "2021-04-01T07:00:00.000Z", "ID": "CVE-2021-23279", "STATE": "PUBLIC", "TITLE": "Arbitrary File delete"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Intelligent Power manager (IPM)", "version": {"version_data": [{"version_affected": "<", "version_value": "1.69"}]}}]}, "vendor_name": "Eaton"}]}}, "credit": [{"lang": "eng", "value": "Amir Preminger from Claroty research"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf", "refsource": "MISC", "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"}]}, "solution": [{"lang": "en", "value": "upgrade the software to latest version 1.69"}], "source": {"advisory": "ETN-VA-2021-1000", "defect": ["ETN-VA-2021-1000"], "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 & 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:55.624Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "assignerShortName": "Eaton", "cveId": "CVE-2021-23279", "datePublished": "2021-04-13T18:03:26.395946Z", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2024-09-16T17:18:54.414Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "5E2C63CA-B479-49C4-8C98-F5AE9BF06A2F", "versionEndExcluding": "1.69", "vulnerable": true}, {"criteria": "cpe:2.3:a:eaton:intelligent_power_manager_virtual_appliance:*:*:*:*:*:*:*:*", "matchCriteriaId": "10CFCD42-A9D6-468B-9287-03B4341B129A", "versionEndExcluding": "1.69", "vulnerable": true}, {"criteria": "cpe:2.3:a:eaton:intelligent_power_protector:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A67B7A8-E508-4854-9437-BF702692948C", "versionEndExcluding": "1.68", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed."}, {"lang": "es", "value": "Eaton Intelligent Power Manager (IPM) versiones anteriores a 1.69, es susceptible a una vulnerabilidad de eliminaci\u00f3n de archivos arbitrarios no autenticados inducida debido a una comprobaci\u00f3n inapropiada de entrada en la clase meta_driver_srv.js con la acci\u00f3n saveDriverData utilizando un driverID no v\u00e1lido. Un atacante puede enviar paquetes especialmente dise\u00f1ados para eliminar los archivos del sistema donde est\u00e1 instalado el software IPM"}], "id": "CVE-2021-23279", "lastModified": "2021-04-21T15:06:09.213", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.8, "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}]}, "published": "2021-04-13T19:15:14.883", "references": [{"source": "CybersecurityCOE@eaton.com", "tags": ["Vendor Advisory"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"}], "sourceIdentifier": "CybersecurityCOE@eaton.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}]}