CVE-2021-41296 - OpenCVE

ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ecoa	Ecs Router Controller-ecs Ecs Router Controller-ecs Firmware Riskbuster Riskbuster Firmware Riskterminator

Configuration 1 [-]

AND

cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2021-09-30T10:40:58.921644Z

Updated: 2024-09-17T03:17:33.292Z

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41296

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-09-30T11:15:07.707

Modified: 2021-10-07T16:29:07.963

Link: CVE-2021-41296

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ECS Router Controller ECS (FLASH)", "vendor": "ECOA", "versions": [{"lessThan": "unspecified", "status": "unknown", "version": "next of 0", "versionType": "custom"}]}, {"product": "RiskBuster Terminator E6L45", "vendor": "ECOA", "versions": [{"lessThan": "unspecified", "status": "unknown", "version": "next of 0", "versionType": "custom"}]}, {"product": "RiskBuster System RB 3.0.0", "vendor": "ECOA", "versions": [{"lessThan": "unspecified", "status": "unknown", "version": "next of 0", "versionType": "custom"}]}, {"product": "RiskBuster System TRANE 1.0", "vendor": "ECOA", "versions": [{"lessThan": "unspecified", "status": "unknown", "version": "next of 0", "versionType": "custom"}]}, {"product": "Graphic Control Software", "vendor": "ECOA", "versions": [{"lessThan": "unspecified", "status": "unknown", "version": "next of 0", "versionType": "custom"}]}, {"product": "SmartHome II E9246", "vendor": "ECOA", "versions": [{"lessThan": "unspecified", "status": "unknown", "version": "next of 0", "versionType": "custom"}]}, {"product": "RiskTerminator", "vendor": "ECOA", "versions": [{"lessThan": "unspecified", "status": "unknown", "version": "next of 0", "versionType": "custom"}]}], "datePublic": "2021-09-30T00:00:00", "descriptions": [{"lang": "en", "value": "ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-521", "description": "CWE-521 Weak Password Requirements", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-30T10:40:58", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html"}], "solutions": [{"lang": "en", "value": "Contact tech support from ECOA."}], "source": {"advisory": "TVN-202109012", "discovery": "EXTERNAL"}, "title": "ECOA BAS controller - Weak Password Requirements", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2021-09-30T10:13:00.000Z", "ID": "CVE-2021-41296", "STATE": "PUBLIC", "TITLE": "ECOA BAS controller - Weak Password Requirements"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ECS Router Controller ECS (FLASH)", "version": {"version_data": [{"version_affected": "?>", "version_value": "0"}]}}, {"product_name": "RiskBuster Terminator E6L45", "version": {"version_data": [{"version_affected": "?>", "version_value": "0"}]}}, {"product_name": "RiskBuster System RB 3.0.0", "version": {"version_data": [{"version_affected": "?>", "version_value": "0"}]}}, {"product_name": "RiskBuster System TRANE 1.0", "version": {"version_data": [{"version_affected": "?>", "version_value": "0"}]}}, {"product_name": "Graphic Control Software", "version": {"version_data": [{"version_affected": "?>", "version_value": "0"}]}}, {"product_name": "SmartHome II E9246", "version": {"version_data": [{"version_affected": "?>", "version_value": "0"}]}}, {"product_name": "RiskTerminator", "version": {"version_data": [{"version_affected": "?>", "version_value": "0"}]}}]}, "vendor_name": "ECOA"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-521 Weak Password Requirements"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html"}]}, "solution": [{"lang": "en", "value": "Contact tech support from ECOA."}], "source": {"advisory": "TVN-202109012", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:08:31.927Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html"}]}]}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2021-41296", "datePublished": "2021-09-30T10:40:58.921644Z", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-09-17T03:17:33.292Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "E80292D1-E3AD-42B6-A63E-3546010B97A3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*", "matchCriteriaId": "541B6C82-F00E-4BFC-9947-A55B2F4EDD06", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "19A28430-AB2B-423F-82D4-FC0E3A6DF335", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*", "matchCriteriaId": "58A6F2A4-A7DA-4A88-B572-917FFC80ADC1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", "matchCriteriaId": "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system."}, {"lang": "es", "value": "El controlador ECOA BAS usa un conjunto d\u00e9bil de credenciales administrativas predeterminadas que pueden ser f\u00e1cilmente adivinadas en ataques de contrase\u00f1as remotas y conseguir el control total del sistema"}], "id": "CVE-2021-41296", "lastModified": "2021-10-07T16:29:07.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "twcert@cert.org.tw", "type": "Primary"}]}, "published": "2021-09-30T11:15:07.707", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-521"}], "source": "twcert@cert.org.tw", "type": "Primary"}]}