CVE-2021-38421 - Vulnerability Details - OpenCVE

Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0.12.0 is vulnerable to an out-of-bounds read, which may allow an attacker to read sensitive information from other memory locations or cause a crash.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00131.

Key SSVC decision points have not yet been added.

Vendors	Products
Fujielectric Subscribe	V-server Subscribe V-simulator Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:fujielectric:v-server:::::lite:::*
	cpe:2.3:a:fujielectric:v-simulator:::::lite:::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-24873	Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0.12.0 is vulnerable to an out-of-bounds read, which may allow an attacker to read sensitive information from other memory locations or cause a crash.

Fixes

Solution

Fuji Electric recommends updating software to the latest version: TELLUS Lite software: Version 4.0.12.0 Disk1 TELLUS Lite software: Version 4.0.12.0 Disk2 V-Server Lite software: Version 4.0.12.0 Disk1 V-Server Lite software: Version 4.0.12.0 Disk2

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-21-299-01

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-12-20T20:08:48

Updated: 2024-08-04T01:44:22.159Z

Reserved: 2021-08-10T00:00:00

Link: CVE-2021-38421

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-12-20T21:15:08.613

Modified: 2024-11-21T06:17:03.430

Link: CVE-2021-38421

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-125

{"containers": {"cna": {"affected": [{"product": "V-Server Lite", "vendor": " Fuji Electric", "versions": [{"lessThan": "4.0.12.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Tellus Lite V-Simulator", "vendor": " Fuji Electric", "versions": [{"lessThan": "4.0.12.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "kimiya, working with Trend Micro\u2019s Zero Day Initiative, and Michael Heinzl reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "value": "Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0.12.0 is vulnerable to an out-of-bounds read, which may allow an attacker to read sensitive information from other memory locations or cause a crash."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-20T20:08:48", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-299-01"}], "solutions": [{"lang": "en", "value": "Fuji Electric recommends updating software to the latest version:\nTELLUS Lite software: Version 4.0.12.0 Disk1\nTELLUS Lite software: Version 4.0.12.0 Disk2\nV-Server Lite software: Version 4.0.12.0 Disk1\nV-Server Lite software: Version 4.0.12.0 Disk2"}], "source": {"advisory": "ICSA-21-299-01", "discovery": "EXTERNAL"}, "title": " Fuji Electric Tellus Lite V-Simulator out of bounds read", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2021-38421", "STATE": "PUBLIC", "TITLE": " Fuji Electric Tellus Lite V-Simulator out of bounds read"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "V-Server Lite", "version": {"version_data": [{"version_affected": "<", "version_value": "4.0.12.0"}]}}, {"product_name": "Tellus Lite V-Simulator", "version": {"version_data": [{"version_affected": "<", "version_value": "4.0.12.0"}]}}]}, "vendor_name": " Fuji Electric"}]}}, "credit": [{"lang": "eng", "value": "kimiya, working with Trend Micro\u2019s Zero Day Initiative, and Michael Heinzl reported these vulnerabilities to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0.12.0 is vulnerable to an out-of-bounds read, which may allow an attacker to read sensitive information from other memory locations or cause a crash."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-125 Out-of-bounds Read"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-299-01", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-299-01"}]}, "solution": [{"lang": "en", "value": "Fuji Electric recommends updating software to the latest version:\nTELLUS Lite software: Version 4.0.12.0 Disk1\nTELLUS Lite software: Version 4.0.12.0 Disk2\nV-Server Lite software: Version 4.0.12.0 Disk1\nV-Server Lite software: Version 4.0.12.0 Disk2"}], "source": {"advisory": "ICSA-21-299-01", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:44:22.159Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-299-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-38421", "datePublished": "2021-12-20T20:08:48", "dateReserved": "2021-08-10T00:00:00", "dateUpdated": "2024-08-04T01:44:22.159Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fujielectric:v-server:*:*:*:*:lite:*:*:*", "matchCriteriaId": "BDE5CC23-7376-4E69-988E-42719159E52C", "versionEndExcluding": "4.0.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fujielectric:v-simulator:*:*:*:*:lite:*:*:*", "matchCriteriaId": "1A6F4C85-64D7-4F4A-8652-5D4B6F8E6914", "versionEndExcluding": "4.0.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0.12.0 is vulnerable to an out-of-bounds read, which may allow an attacker to read sensitive information from other memory locations or cause a crash."}, {"lang": "es", "value": "Fuji Electric V-Server Lite y Tellus Lite V-Simulator versiones anteriores a 4.0.12.0, son vulnerables a una lectura fuera de l\u00edmites, lo que puede permitir a un atacante leer informaci\u00f3n confidencial de otras ubicaciones de memoria o causar un bloqueo"}], "id": "CVE-2021-38421", "lastModified": "2024-11-21T06:17:03.430", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-20T21:15:08.613", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Patch", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-299-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-299-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}