CVE-2021-32934 - Vulnerability Details - OpenCVE

The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00105.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Throughtek	Kalay P2p Software Development Kit

Configuration 1 [-]

cpe:2.3:a:throughtek:kalay_p2p_software_development_kit:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-19655	The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-01

History

Wed, 16 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-05-19T17:20:06.000Z

Updated: 2025-04-16T16:19:34.297Z

Reserved: 2021-05-13T00:00:00.000Z

Link: CVE-2021-32934

Vulnrichment

Updated: 2024-08-03T23:33:56.086Z

NVD

Status : Modified

Published: 2022-05-19T18:15:09.237

Modified: 2024-11-21T06:07:57.467

Link: CVE-2021-32934

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "P2P SDK", "vendor": "ThroughTek", "versions": [{"status": "affected", "version": "all with nossl tag"}, {"status": "unaffected", "version": "firmware using AuthKey for IOTC connection"}, {"status": "affected", "version": "firmware using AVAPI module without enabling DTLS mechanism"}, {"status": "affected", "version": "firmware using P2PTunnel or RDT module"}, {"lessThanOrEqual": "3.1.5", "status": "affected", "version": "All", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Nozomi Networks reported this vulnerability to CISA."}], "descriptions": [{"lang": "en", "value": "The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-19T17:20:06.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-01"}], "source": {"advisory": "ICSA-21-166-01", "discovery": "UNKNOWN"}, "title": "ThroughTek P2P SDK - Cleartext Transmission of Sensitive Information", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2021-32934", "STATE": "PUBLIC", "TITLE": "ThroughTek P2P SDK - Cleartext Transmission of Sensitive Information"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "P2P SDK", "version": {"version_data": [{"version_affected": "<=", "version_name": "All", "version_value": "3.1.5"}, {"version_affected": "=", "version_value": "all with nossl tag"}, {"version_affected": "!", "version_value": "firmware using AuthKey for IOTC connection"}, {"version_affected": "=", "version_value": "firmware using AVAPI module without enabling DTLS mechanism"}, {"version_affected": "=", "version_value": "firmware using P2PTunnel or RDT module"}]}}]}, "vendor_name": "ThroughTek"}]}}, "credit": [{"lang": "eng", "value": "Nozomi Networks reported this vulnerability to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-319 Cleartext Transmission of Sensitive Information"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-01", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-01"}]}, "source": {"advisory": "ICSA-21-166-01", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:56.086Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-01"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T15:54:43.160260Z", "id": "CVE-2021-32934", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T16:19:34.297Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-32934", "datePublished": "2022-05-19T17:20:06.000Z", "dateReserved": "2021-05-13T00:00:00.000Z", "dateUpdated": "2025-04-16T16:19:34.297Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-01", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:56.086Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-32934", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-16T15:54:43.160260Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T15:54:45.041Z"}}], "cna": {"title": "ThroughTek P2P SDK - Cleartext Transmission of Sensitive Information", "source": {"advisory": "ICSA-21-166-01", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "Nozomi Networks reported this vulnerability to CISA."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ThroughTek", "product": "P2P SDK", "versions": [{"status": "affected", "version": "all with nossl tag"}, {"status": "unaffected", "version": "firmware using AuthKey for IOTC connection"}, {"status": "affected", "version": "firmware using AVAPI module without enabling DTLS mechanism"}, {"status": "affected", "version": "firmware using P2PTunnel or RDT module"}, {"status": "affected", "version": "All", "versionType": "custom", "lessThanOrEqual": "3.1.5"}]}], "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-01", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-05-19T17:20:06.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Nozomi Networks reported this vulnerability to CISA."}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "ICSA-21-166-01", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "All", "version_value": "3.1.5", "version_affected": "<="}, {"version_value": "all with nossl tag", "version_affected": "="}, {"version_value": "firmware using AuthKey for IOTC connection", "version_affected": "!"}, {"version_value": "firmware using AVAPI module without enabling DTLS mechanism", "version_affected": "="}, {"version_value": "firmware using P2PTunnel or RDT module", "version_affected": "="}]}, "product_name": "P2P SDK"}]}, "vendor_name": "ThroughTek"}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-01", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-01", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-319 Cleartext Transmission of Sensitive Information"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-32934", "STATE": "PUBLIC", "TITLE": "ThroughTek P2P SDK - Cleartext Transmission of Sensitive Information", "ASSIGNER": "ics-cert@hq.dhs.gov"}}}}, "cveMetadata": {"cveId": "CVE-2021-32934", "state": "PUBLISHED", "dateUpdated": "2025-04-16T16:19:34.297Z", "dateReserved": "2021-05-13T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-05-19T17:20:06.000Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:throughtek:kalay_p2p_software_development_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57DEF3D-1F13-4F99-BC33-883D0C955EC4", "versionEndIncluding": "3.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds."}, {"lang": "es", "value": "Los productos P2P de ThroughTek afectados (SDKs que usan versiones anteriores a 3.1.5, cualquier versi\u00f3n con la etiqueta nossl, el firmware del dispositivo que no usa AuthKey para la conexi\u00f3n IOTC, el firmware que usa el m\u00f3dulo AVAPI sin activar el mecanismo DTLS, y el firmware que usa el m\u00f3dulo P2PTunnel o RDT) no protegen suficientemente los datos transferidos entre el dispositivo local y los servidores de ThroughTek. Esto puede permitir a un atacante acceder a informaci\u00f3n confidencial, como la alimentaci\u00f3n de la c\u00e1mara"}], "id": "CVE-2021-32934", "lastModified": "2024-11-21T06:07:57.467", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-19T18:15:09.237", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}