CVE-2021-38462 - OpenCVE

InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 does not enforce an efficient password policy. This may allow an attacker with obtained user credentials to enumerate passwords and impersonate other application users and perform operations on their behalf.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Inhandnetworks	Ir615 Ir615 Firmware

Configuration 1 [-]

AND

cpe:2.3:h:inhandnetworks:ir615:-:*:*:*:*:*:*:*

cpe:2.3:o:inhandnetworks:ir615_firmware:2.3.0.r4724:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:h:inhandnetworks:ir615:-:*:*:*:*:*:*:*

cpe:2.3:o:inhandnetworks:ir615_firmware:2.3.0.r4870:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-10-19T12:10:32.966857Z

Updated: 2024-09-16T16:44:09.207Z

Reserved: 2021-08-10T00:00:00

Link: CVE-2021-38462

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-10-19T13:15:10.833

Modified: 2021-10-22T15:06:37.917

Link: CVE-2021-38462

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "IR615 Router", "vendor": "InHand Networks", "versions": [{"status": "affected", "version": "2.3.0.r4724 and 2.3.0.r4870"}]}], "credits": [{"lang": "en", "value": "Haviv Vaizman, Hay Mizrachi, Alik Koldobsky, Ofir Manzur, and Nikolay Sokolik of OTORIO reported these vulnerabilities to CISA."}], "datePublic": "2021-10-07T00:00:00", "descriptions": [{"lang": "en", "value": "InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 does not enforce an efficient password policy. This may allow an attacker with obtained user credentials to enumerate passwords and impersonate other application users and perform operations on their behalf."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-521", "description": "WEAK PASSWORD REQUIREMENTS CWE-521", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-19T12:10:32", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05"}], "source": {"advisory": "ICSA-21-280-05", "discovery": "UNKNOWN"}, "title": "InHand Networks IR615 Router", "workarounds": [{"lang": "en", "value": "InHand Networks has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of this affected product are invited to contact InHand Networks customer support."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-10-07T20:12:00.000Z", "ID": "CVE-2021-38462", "STATE": "PUBLIC", "TITLE": "InHand Networks IR615 Router"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "IR615 Router", "version": {"version_data": [{"version_affected": "=", "version_value": "2.3.0.r4724 and 2.3.0.r4870"}]}}]}, "vendor_name": "InHand Networks"}]}}, "credit": [{"lang": "eng", "value": "Haviv Vaizman, Hay Mizrachi, Alik Koldobsky, Ofir Manzur, and Nikolay Sokolik of OTORIO reported these vulnerabilities to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 does not enforce an efficient password policy. This may allow an attacker with obtained user credentials to enumerate passwords and impersonate other application users and perform operations on their behalf."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "WEAK PASSWORD REQUIREMENTS CWE-521"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05"}]}, "source": {"advisory": "ICSA-21-280-05", "discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "InHand Networks has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of this affected product are invited to contact InHand Networks customer support."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:44:22.824Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-38462", "datePublished": "2021-10-19T12:10:32.966857Z", "dateReserved": "2021-08-10T00:00:00", "dateUpdated": "2024-09-16T16:44:09.207Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:inhandnetworks:ir615:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3237242-CF6E-4390-A9F7-85CE2C9BA29C", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:inhandnetworks:ir615_firmware:2.3.0.r4724:*:*:*:*:*:*:*", "matchCriteriaId": "FFF0F3C9-F950-422F-ACB1-FE653373FF19", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:inhandnetworks:ir615:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3237242-CF6E-4390-A9F7-85CE2C9BA29C", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:inhandnetworks:ir615_firmware:2.3.0.r4870:*:*:*:*:*:*:*", "matchCriteriaId": "A64C65DB-6951-4371-A331-A9F7A871AFB9", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 does not enforce an efficient password policy. This may allow an attacker with obtained user credentials to enumerate passwords and impersonate other application users and perform operations on their behalf."}, {"lang": "es", "value": "InHand Networks IR615 Router's Versiones 2.3.0.r4724 y 2.3.0.r4870, no aplican una pol\u00edtica de contrase\u00f1as eficaz. Esto puede permitir a un atacante con credenciales de usuario obtenidas enumerar las contrase\u00f1as y hacerse pasar por otros usuarios de la aplicaci\u00f3n y llevar a cabo operaciones en su nombre"}], "id": "CVE-2021-38462", "lastModified": "2021-10-22T15:06:37.917", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2021-10-19T13:15:10.833", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-521"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-521"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}