cvelistv5 - cve-2021-37400

cve-2021-37400

Vulnerability from cvelistv5

Published

2021-12-28 12:09

Modified

2024-08-04 01:16

Severity ?

Summary

An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded.

References

URL	Tags
cve@mitre.org	https://jvn.jp/en/vu/JVNVU92279973/	Third Party Advisory
cve@mitre.org	https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A	Vendor Advisory
cve@mitre.org	https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer	Vendor Advisory
cve@mitre.org	https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://jvn.jp/en/vu/JVNVU92279973/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf	Vendor Advisory

Impacted products

Vendor

Product

Version

▼

n/a

Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:16:04.056Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/vu/JVNVU92279973/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-28T12:15:05",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jvn.jp/en/vu/JVNVU92279973/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-37400",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A",
              "refsource": "MISC",
              "url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
            },
            {
              "name": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer",
              "refsource": "MISC",
              "url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
            },
            {
              "name": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf",
              "refsource": "MISC",
              "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
            },
            {
              "name": "https://jvn.jp/en/vu/JVNVU92279973/",
              "refsource": "MISC",
              "url": "https://jvn.jp/en/vu/JVNVU92279973/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-37400",
    "datePublished": "2021-12-28T12:09:59",
    "dateReserved": "2021-07-21T00:00:00",
    "dateUpdated": "2024-08-04T01:16:04.056Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-37400\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-12-28T13:15:08.207\",\"lastModified\":\"2024-11-21T06:15:05.053\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded.\"},{\"lang\":\"es\",\"value\":\"Un atacante puede obtener las credenciales de usuario de la comunicaci\u00f3n entre el PLC y el software. Como resultado, el programa de usuario del PLC puede ser cargado, alterado y/o descargado\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:idec:data_file_manager:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.12.1\",\"matchCriteriaId\":\"5E7A2720-6B29-4BD1-B85B-293850D804A8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:idec:windedit:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.3.1\",\"matchCriteriaId\":\"FA314D4B-B187-4238-B341-E2B9F94EBEBA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:idec:windldr:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"8.19.1\",\"matchCriteriaId\":\"7ED0922F-93CB-41B3-A468-44845F428945\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:idec:microsmart_plus_fc6b_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.31\",\"matchCriteriaId\":\"950DD61E-60D8-4102-A18F-18A4706DE647\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:idec:microsmart_plus_fc6b:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2FF6D25F-C546-4C37-B01E-E71BD2AF09EB\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:idec:microsmart_plus_fc6a_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.91\",\"matchCriteriaId\":\"01FFD59B-27E0-4D27-A339-FE78D7407C02\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:idec:microsmart_plus_fc6a:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6CFD58FF-AAE9-47F8-971C-442E2E8C4499\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:idec:microsmart_fc6b_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.31\",\"matchCriteriaId\":\"24BEE40B-C239-4A38-B9EE-0AAD7699D53E\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:idec:microsmart_fc6b:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"051DFC18-8576-40AF-96A0-2434230234F4\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:idec:microsmart_fc6a_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.32\",\"matchCriteriaId\":\"59A9BAF0-7AFD-4918-81E2-6949B71E4208\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:idec:microsmart_fc6a:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"892DE7A7-7D54-4EE5-97B7-2B8A0B190DFB\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:idec:ft1a_smartaxix_pro_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.31\",\"matchCriteriaId\":\"7F546B0A-0B08-4B79-87A8-1286F334339E\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:idec:ft1a_smartaxix_pro:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B13D383E-A48F-4C5A-B592-3356523FEEB1\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:idec:ft1a_smartaxix_lite_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.31\",\"matchCriteriaId\":\"401ED91B-67F5-4319-8B66-C028B1AB09A6\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:idec:ft1a_smartaxix_lite:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2FA6299D-C20C-4C04-B6F1-CE3DE1167770\"}]}]}],\"references\":[{\"url\":\"https://jvn.jp/en/vu/JVNVU92279973/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://jvn.jp/en/vu/JVNVU92279973/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

gsd-2021-37400

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded.

Aliases

CVE-2021-37400

Aliases

CVE-2021-37400

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-37400",
    "description": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded.",
    "id": "GSD-2021-37400"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-37400"
      ],
      "details": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded.",
      "id": "GSD-2021-37400",
      "modified": "2023-12-13T01:23:10.063157Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2021-37400",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A",
            "refsource": "MISC",
            "url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
          },
          {
            "name": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer",
            "refsource": "MISC",
            "url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
          },
          {
            "name": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf",
            "refsource": "MISC",
            "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
          },
          {
            "name": "https://jvn.jp/en/vu/JVNVU92279973/",
            "refsource": "MISC",
            "url": "https://jvn.jp/en/vu/JVNVU92279973/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:idec:data_file_manager:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.12.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:idec:windedit:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.3.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:idec:windldr:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "8.19.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:idec:microsmart_plus_fc6b_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "2.31",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:idec:microsmart_plus_fc6b:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:idec:microsmart_plus_fc6a_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.91",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:idec:microsmart_plus_fc6a:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:idec:microsmart_fc6b_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "2.31",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:idec:microsmart_fc6b:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:idec:microsmart_fc6a_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "2.32",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:idec:microsmart_fc6a:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:idec:ft1a_smartaxix_pro_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "2.31",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:idec:ft1a_smartaxix_pro:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:idec:ft1a_smartaxix_lite_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "2.31",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:idec:ft1a_smartaxix_lite:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-37400"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-522"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
            },
            {
              "name": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
            },
            {
              "name": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
            },
            {
              "name": "https://jvn.jp/en/vu/JVNVU92279973/",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://jvn.jp/en/vu/JVNVU92279973/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-01-07T20:40Z",
      "publishedDate": "2021-12-28T13:15Z"
    }
  }
}

ghsa-gv42-v83p-3gw3

Vulnerability from github

Published

2021-12-29 00:00

Modified

2022-01-08 00:00

Details

An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-37400"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-28T13:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded.",
  "id": "GHSA-gv42-v83p-3gw3",
  "modified": "2022-01-08T00:00:43Z",
  "published": "2021-12-29T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37400"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU92279973"
    },
    {
      "type": "WEB",
      "url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
    },
    {
      "type": "WEB",
      "url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
    },
    {
      "type": "WEB",
      "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded. IDEC Provided by Co., Ltd. PLC The following multiple vulnerabilities exist in. * Sending unprotected credentials ( CWE-523 ) - CVE-2021-37400 ‥ * Plaintext storage of authentication information ( CWE-256 ) - CVE-2021-374010 ‥ * Sending unprotected credentials ( CWE-523 ) - CVE-2021-20826 ‥ * Plaintext storage of authentication information ( CWE-256 ) - CVE-2021-20827 This vulnerability information is reported directly to the product developer by the following reporter, and is provided by the product developer. JPCERT/CC There is an adjustment request in JPCERT/CC Is a reporter, product developer, ICS-CERT We made adjustments with and announced it. Reporter : FM Approvals Khalid Ansari MrThe expected impact depends on each vulnerability, but it may be affected as follows. - CVE-2021-37400 ‥ * File server, backup repository, SD Saved on a card etc. ZLD From the file, the user's credentials are obtained by a third party. as a result, PLC Web Deprived of full access to the server, PLC The output of PLC Is stopped - CVE-2021-20826 ‥ * File server, backup repository, SD Saved on a card etc. ZLD From the file, by a third party PLC Web The server user's authentication information is acquired. as a result, PLC Web Connect to the server and PLC By being hijacked PLC The output of PLC Is stopped - CVE-2021-20827 ‥ * Data file manager v2.13.0 And later. IDEC PLC is a programmable controller

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202112-2027",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "ft1a smartaxix lite",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "idec",
        "version": "2.31"
      },
      {
        "model": "windedit",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "idec",
        "version": "1.3.1"
      },
      {
        "model": "microsmart plus fc6a",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "idec",
        "version": "1.91"
      },
      {
        "model": "microsmart fc6a",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "idec",
        "version": "2.32"
      },
      {
        "model": "data file manager",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "idec",
        "version": "2.12.1"
      },
      {
        "model": "ft1a smartaxix pro",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "idec",
        "version": "2.31"
      },
      {
        "model": "microsmart plus fc6b",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "idec",
        "version": "2.31"
      },
      {
        "model": "microsmart fc6b",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "idec",
        "version": "2.31"
      },
      {
        "model": "windldr",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "idec",
        "version": "8.19.1"
      },
      {
        "model": "ft1a \u5f62 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9 smartaxis pro/lite",
        "scope": null,
        "trust": 0.8,
        "vendor": "idec\u682a\u5f0f\u4f1a\u793e",
        "version": null
      },
      {
        "model": "fc6a \u5f62 microsmart all-in-one cpu \u30e2\u30b8\u30e5\u30fc\u30eb",
        "scope": null,
        "trust": 0.8,
        "vendor": "idec\u682a\u5f0f\u4f1a\u793e",
        "version": null
      },
      {
        "model": "fc6a \u5f62 microsmart plus cpu \u30e2\u30b8\u30e5\u30fc\u30eb",
        "scope": null,
        "trust": 0.8,
        "vendor": "idec\u682a\u5f0f\u4f1a\u793e",
        "version": null
      },
      {
        "model": "fc6b \u5f62 microsmart plus cpu \u30e2\u30b8\u30e5\u30fc\u30eb",
        "scope": null,
        "trust": 0.8,
        "vendor": "idec\u682a\u5f0f\u4f1a\u793e",
        "version": null
      },
      {
        "model": "windldr",
        "scope": null,
        "trust": 0.8,
        "vendor": "idec\u682a\u5f0f\u4f1a\u793e",
        "version": null
      },
      {
        "model": "windedit lite",
        "scope": null,
        "trust": 0.8,
        "vendor": "idec\u682a\u5f0f\u4f1a\u793e",
        "version": null
      },
      {
        "model": "\u30c7\u30fc\u30bf \u30d5\u30a1\u30a4\u30eb \u30de\u30cd\u30fc\u30b8\u30e3\u30fc",
        "scope": null,
        "trust": 0.8,
        "vendor": "idec\u682a\u5f0f\u4f1a\u793e",
        "version": null
      },
      {
        "model": "fc6b \u5f62 microsmart all-in-one cpu \u30e2\u30b8\u30e5\u30fc\u30eb",
        "scope": null,
        "trust": 0.8,
        "vendor": "idec\u682a\u5f0f\u4f1a\u793e",
        "version": null
      },
      {
        "model": "plc",
        "scope": null,
        "trust": 0.6,
        "vendor": "idec",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-02762"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006117"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37400"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Khalid Ansari of FM Approvals reported these vulnerabilities to IDEC Corporation.",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202112-2604"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2021-37400",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CVE-2021-37400",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 1.1,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2022-02762",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2021-37400",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Adjacent Network",
            "author": "OTHER",
            "availabilityImpact": "Low",
            "baseScore": 7.6,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-006117",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2021-37400",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "OTHER",
            "id": "JVNDB-2021-006117",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2022-02762",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202112-2604",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULMON",
            "id": "CVE-2021-37400",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-02762"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37400"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006117"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202112-2604"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37400"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded. IDEC Provided by Co., Ltd. PLC The following multiple vulnerabilities exist in. * Sending unprotected credentials ( CWE-523 ) - CVE-2021-37400 \u2025 * Plaintext storage of authentication information ( CWE-256 ) - CVE-2021-374010 \u2025 * Sending unprotected credentials ( CWE-523 ) - CVE-2021-20826 \u2025 * Plaintext storage of authentication information ( CWE-256 ) - CVE-2021-20827 This vulnerability information is reported directly to the product developer by the following reporter, and is provided by the product developer. JPCERT/CC There is an adjustment request in JPCERT/CC Is a reporter, product developer, ICS-CERT We made adjustments with and announced it. Reporter : FM Approvals Khalid Ansari MrThe expected impact depends on each vulnerability, but it may be affected as follows. - CVE-2021-37400 \u2025 * File server, backup repository, SD Saved on a card etc. ZLD From the file, the user\u0027s credentials are obtained by a third party. as a result, PLC Web Deprived of full access to the server, PLC The output of PLC Is stopped - CVE-2021-20826 \u2025 * File server, backup repository, SD Saved on a card etc. ZLD From the file, by a third party PLC Web The server user\u0027s authentication information is acquired. as a result, PLC Web Connect to the server and PLC By being hijacked PLC The output of PLC Is stopped - CVE-2021-20827 \u2025 * Data file manager v2.13.0 And later. IDEC PLC is a programmable controller",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-37400"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006117"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2022-02762"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37400"
      }
    ],
    "trust": 2.25
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2021-37400",
        "trust": 3.1
      },
      {
        "db": "JVN",
        "id": "JVNVU92279973",
        "trust": 2.5
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-22-006-03",
        "trust": 1.4
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006117",
        "trust": 1.4
      },
      {
        "db": "CNVD",
        "id": "CNVD-2022-02762",
        "trust": 0.6
      },
      {
        "db": "CS-HELP",
        "id": "SB2022010709",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2022.0083",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202112-2604",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37400",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-02762"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37400"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006117"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202112-2604"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37400"
      }
    ]
  },
  "id": "VAR-202112-2027",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-02762"
      }
    ],
    "trust": 1.6
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-02762"
      }
    ]
  },
  "last_update_date": "2024-08-14T14:11:05.075000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Our company \u00a0PLC\u00a0 Contact regarding the vulnerability of",
        "trust": 0.8,
        "url": "https://support.quest.com/ja-jp/kb/288310/cert-coordination-center-report-update"
      },
      {
        "title": "Patch for Unknown Vulnerability in IDEC PLC",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/313181"
      },
      {
        "title": "IDEC PLC Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=176483"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-02762"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006117"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202112-2604"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-522",
        "trust": 1.0
      },
      {
        "problemtype": "Plaintext storage of credentials (CWE-256) [ Other ]",
        "trust": 0.8
      },
      {
        "problemtype": " Unprotected transfer of credentials (CWE-523) [ Other ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006117"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37400"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.7,
        "url": "https://us.idec.com/idec-us/en/usd/software-downloads-automation-organizer"
      },
      {
        "trust": 1.7,
        "url": "https://www.idec.com/home/lp/pdf/2021-12-24-plc.pdf"
      },
      {
        "trust": 1.7,
        "url": "https://us.idec.com/idec-us/en/usd/programmable-logic-controller/micro-plc/fc6a-microsmart/c/microsmart_fc6a"
      },
      {
        "trust": 1.7,
        "url": "https://jvn.jp/en/vu/jvnvu92279973/"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/cert/jvnvu92279973/"
      },
      {
        "trust": 0.8,
        "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-006-03"
      },
      {
        "trust": 0.6,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-37400"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2022010709"
      },
      {
        "trust": 0.6,
        "url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-006-03"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2022.0083"
      },
      {
        "trust": 0.6,
        "url": "https://jvndb.jvn.jp/en/contents/2021/jvndb-2021-006117.html"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/522.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-02762"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37400"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006117"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202112-2604"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37400"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-02762"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37400"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006117"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202112-2604"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37400"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-01-12T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2022-02762"
      },
      {
        "date": "2021-12-28T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-37400"
      },
      {
        "date": "2021-12-27T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-006117"
      },
      {
        "date": "2021-12-24T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202112-2604"
      },
      {
        "date": "2021-12-28T13:15:08.207000",
        "db": "NVD",
        "id": "CVE-2021-37400"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-01-18T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2022-02762"
      },
      {
        "date": "2022-01-07T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-37400"
      },
      {
        "date": "2022-01-11T07:34:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-006117"
      },
      {
        "date": "2022-01-10T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202112-2604"
      },
      {
        "date": "2022-01-07T20:40:19.347000",
        "db": "NVD",
        "id": "CVE-2021-37400"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202112-2604"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "IDEC\u00a0 Made \u00a0PLC\u00a0 Multiple vulnerabilities in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-006117"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "other",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202112-2604"
      }
    ],
    "trust": 0.6
  }
}

icsa-22-006-03

Vulnerability from csaf_cisa

Published

2022-01-06 00:00

Modified

2022-01-06 00:00

Summary

IDEC PLCs

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of these vulnerabilities could allow an attacker to upload, alter, and/or download the PLC user program. An attacker could also access the PLC web server and hijack the controllers, resulting in the manipulation and/or suspension of the PLC output.

Critical infrastructure sectors

Multiple

Countries/areas deployed

Worldwide

Company headquarters location

Japan

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Khalid Ansari"
        ],
        "organization": "FM Approvals",
        "summary": "reporting these vulnerabilities to IDEC Corporation"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities could allow an attacker to upload, alter, and/or download the PLC user program. An attacker could also access the PLC web server and hijack the controllers, resulting in the manipulation and/or suspension of the PLC output.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Multiple",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "Japan",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-22-006-03 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2022/icsa-22-006-03.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-22-006-03 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-006-03"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "IDEC PLCs",
    "tracking": {
      "current_release_date": "2022-01-06T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-22-006-03",
      "initial_release_date": "2022-01-06T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2022-01-06T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-22-006-03 IDEC PLCs"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 2.12.1",
                "product": {
                  "name": "Data File Manager: v2.12.1 and earlier",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Data File Manager"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 2.32",
                "product": {
                  "name": "FC6A MICROSmart All-in-One CPU Module: v2.32 and earlier",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "FC6A MICROSmart All-in-One CPU Module"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 1.91",
                "product": {
                  "name": "FC6A MICROSmart Plus CPU Module: v1.91 and earlier",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "FC6A MICROSmart Plus CPU Module"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 2.31",
                "product": {
                  "name": "FC6B MICROSmart All-in-One CPU Module: v2.31 and earlier",
                  "product_id": "CSAFPID-0004"
                }
              }
            ],
            "category": "product_name",
            "name": "FC6B MICROSmart All-in-One CPU Module"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 2.31",
                "product": {
                  "name": "FC6B MICROSmart Plus CPU Module: v2.31 and earlier",
                  "product_id": "CSAFPID-0005"
                }
              }
            ],
            "category": "product_name",
            "name": "FC6B MICROSmart Plus CPU Module"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 2.31",
                "product": {
                  "name": "FT1A Controller SmartAXIS Pro/Lite: v2.31 and earlier",
                  "product_id": "CSAFPID-0006"
                }
              }
            ],
            "category": "product_name",
            "name": "FT1A Controller SmartAXIS Pro/Lite"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 1.3.1",
                "product": {
                  "name": "WindEDIT: Lite v1.3.1 and earlier",
                  "product_id": "CSAFPID-0007"
                }
              }
            ],
            "category": "product_name",
            "name": "WindEDIT"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 1.3.1",
                "product": {
                  "name": "WindEDIT Lite: v1.3.1 and earlier",
                  "product_id": "CSAFPID-0008"
                }
              }
            ],
            "category": "product_name",
            "name": "WindEDIT Lite"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 8.19.1",
                "product": {
                  "name": "WindLDR: v8.19.1 and earlier",
                  "product_id": "CSAFPID-0009"
                }
              }
            ],
            "category": "product_name",
            "name": "WindLDR"
          }
        ],
        "category": "vendor",
        "name": "IDEC"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-37400",
      "cwe": {
        "id": "CWE-523",
        "name": "Unprotected Transport of Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded.CVE-2021-37400 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008",
          "CSAFPID-0009"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37400"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "FC6A MICROSmart All-in-One CPU Module: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FC6B MICROSmart All-in-One CPU Module: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FC6A MICROSmart Plus CPU Module: v2.00 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FC6B MICROSmart Plus CPU Module: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FT1A Controller SmartAXIS Pro/Lite: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "WindLDR: v8.20.0 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "WindEDIT Lite: v1.4.0 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Data File Manager: v2.13.0 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Restrict the network appropriately to prevent suspicious connections from untrusted devices",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Restrict the devices that can access PLCs",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Manage ZLD files appropriately",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information, refer to the information provided by the developer (document in Japanese).",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2021-37401",
      "cwe": {
        "id": "CWE-256",
        "name": "Plaintext Storage of a Password"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded.CVE-2021-37401 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008",
          "CSAFPID-0009"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37401"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "FC6A MICROSmart All-in-One CPU Module: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FC6B MICROSmart All-in-One CPU Module: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FC6A MICROSmart Plus CPU Module: v2.00 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FC6B MICROSmart Plus CPU Module: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FT1A Controller SmartAXIS Pro/Lite: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "WindLDR: v8.20.0 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "WindEDIT Lite: v1.4.0 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Data File Manager: v2.13.0 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Restrict the network appropriately to prevent suspicious connections from untrusted devices",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Restrict the devices that can access PLCs",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Manage ZLD files appropriately",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information, refer to the information provided by the developer (document in Japanese).",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2021-20826",
      "cwe": {
        "id": "CWE-523",
        "name": "Unprotected Transport of Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An attacker may obtain the PLC web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted.CVE-2021-20826 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008",
          "CSAFPID-0009"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20826"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "FC6A MICROSmart All-in-One CPU Module: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FC6B MICROSmart All-in-One CPU Module: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FC6A MICROSmart Plus CPU Module: v2.00 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FC6B MICROSmart Plus CPU Module: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FT1A Controller SmartAXIS Pro/Lite: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "WindLDR: v8.20.0 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "WindEDIT Lite: v1.4.0 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Data File Manager: v2.13.0 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Restrict the network appropriately to prevent suspicious connections from untrusted devices",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Restrict the devices that can access PLCs",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Manage ZLD files appropriately",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information, refer to the information provided by the developer (document in Japanese).",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2021-20827",
      "cwe": {
        "id": "CWE-256",
        "name": "Plaintext Storage of a Password"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An attacker may obtain the PLC web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted.CVE-2021-20827 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004",
          "CSAFPID-0005",
          "CSAFPID-0006",
          "CSAFPID-0007",
          "CSAFPID-0008",
          "CSAFPID-0009"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20827"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "FC6A MICROSmart All-in-One CPU Module: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FC6B MICROSmart All-in-One CPU Module: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FC6A MICROSmart Plus CPU Module: v2.00 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FC6B MICROSmart Plus CPU Module: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "FT1A Controller SmartAXIS Pro/Lite: v2.40 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "WindLDR: v8.20.0 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "WindEDIT Lite: v1.4.0 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Data File Manager: v2.13.0 and later",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Restrict the network appropriately to prevent suspicious connections from untrusted devices",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Restrict the devices that can access PLCs",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "Manage ZLD files appropriately",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information, refer to the information provided by the developer (document in Japanese).",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ],
          "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004",
            "CSAFPID-0005",
            "CSAFPID-0006",
            "CSAFPID-0007",
            "CSAFPID-0008",
            "CSAFPID-0009"
          ]
        }
      ]
    }
  ]
}

cve-2021-37400

Vulnerability from jvndb

Published

2021-12-27 16:54

Modified

2022-01-11 16:36

Severity ?

7.6 (High) - cvssV3_0 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Summary

Multiple vulnerabilities in IDEC PLCs

Details

Multiple PLCs provided by IDEC Corporation contain multiple vulnerabilities listed below. * Unprotected transport of credentials (CWE-523) - CVE-2021-37400 * Plaintext storage of a password (CWE-256) - CVE-2021-37401 * Unprotected transport of credentials (CWE-523) - CVE-2021-20826 * Plaintext storage of a password (CWE-256) - CVE-2021-20827 Khalid Ansari of FM Approvals reported these vulnerabilities to IDEC Corporation, and IDEC Corporation reported the case to JPCERT/CC and coordinated in order to notify users of the solutions through JVN.

References

▼	Type	URL
	JVN	https://jvn.jp/en/vu/JVNVU92279973/index.html
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37400
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37401
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20826
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20827
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20826
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20827
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-37400
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-37401
	ICS-CERT ADVISORY	https://www.cisa.gov/uscert/ics/advisories/icsa-22-006-03
	Unprotected Storage of Credentials(CWE-256)	https://cwe.mitre.org/data/definitions/256.html
	Unprotected Transport of Credentials(CWE-523)	https://cwe.mitre.org/data/definitions/523.html

Impacted products

▼	Vendor	Product
	IDEC Corporation	Data File Manager
	IDEC Corporation	WindEDIT Lite
	IDEC Corporation	WindLDR
	IDEC Corporation	FT1A Controller SmartAXIS Pro/Lite
	IDEC Corporation	FC6A MICROSmart All-in-One CPU Module
	IDEC Corporation	FC6B MICROSmart All-in-One CPU Module
	IDEC Corporation	FC6A MICROSmart Plus CPU Module
	IDEC Corporation	FC6B MICROSmart Plus CPU Module

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-006117.html",
  "dc:date": "2022-01-11T16:36+09:00",
  "dcterms:issued": "2021-12-27T16:54+09:00",
  "dcterms:modified": "2022-01-11T16:36+09:00",
  "description": "Multiple PLCs provided by IDEC Corporation contain multiple vulnerabilities listed below.\r\n\r\n* Unprotected transport of credentials (CWE-523) - CVE-2021-37400\r\n* Plaintext storage of a password (CWE-256) - CVE-2021-37401\r\n* Unprotected transport of credentials (CWE-523) - CVE-2021-20826\r\n* Plaintext storage of a password (CWE-256) - CVE-2021-20827\r\n\r\nKhalid Ansari of FM Approvals reported these vulnerabilities to IDEC Corporation, and IDEC Corporation reported\r\nthe case to JPCERT/CC and coordinated in order to notify users of the solutions through JVN.",
  "link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-006117.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:idec:data_file_manager",
      "@product": "Data File Manager",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:idec:windedit",
      "@product": "WindEDIT Lite",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:idec:windldr",
      "@product": "WindLDR",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:idec:ft1a_smartaxix_pro_firmware",
      "@product": "FT1A Controller SmartAXIS Pro/Lite",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:idec:microsmart_fc6a_firmware",
      "@product": "FC6A MICROSmart All-in-One CPU Module",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:idec:microsmart_fc6b_firmware",
      "@product": "FC6B MICROSmart All-in-One CPU Module",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:idec:microsmart_plus_fc6a_firmware",
      "@product": "FC6A MICROSmart Plus CPU Module",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:idec:microsmart_plus_fc6b_firmware",
      "@product": "FC6B MICROSmart Plus CPU Module",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    }
  ],
  "sec:cvss": [
    {
      "@score": "7.5",
      "@severity": "High",
      "@type": "Base",
      "@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "7.6",
      "@severity": "High",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2021-006117",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/vu/JVNVU92279973/index.html",
      "@id": "JVNVU#92279973",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37400",
      "@id": "CVE-2021-37400",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37401",
      "@id": "CVE-2021-37401",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20826",
      "@id": "CVE-2021-20826",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20827",
      "@id": "CVE-2021-20827",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20826",
      "@id": "CVE-2021-20826",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20827",
      "@id": "CVE-2021-20827",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-37400",
      "@id": "CVE-2021-37400",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-37401",
      "@id": "CVE-2021-37401",
      "@source": "NVD"
    },
    {
      "#text": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-006-03",
      "@id": "ICSA-22-006-03",
      "@source": "ICS-CERT ADVISORY"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/256.html",
      "@id": "CWE-256",
      "@title": "Unprotected Storage of Credentials(CWE-256)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/523.html",
      "@id": "CWE-523",
      "@title": "Unprotected Transport of Credentials(CWE-523)"
    }
  ],
  "title": "Multiple vulnerabilities in IDEC PLCs"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2021-37400

Vulnerability from cvelistv5

gsd-2021-37400

Vulnerability from gsd

ghsa-gv42-v83p-3gw3

Vulnerability from github

var-202112-2027

Vulnerability from variot

icsa-22-006-03

Vulnerability from csaf_cisa

cve-2021-37400

Vulnerability from jvndb

Tags

Sightings

Nomenclature