Lucene search

JpcertCVE-2021-20827

HistoryDec 24, 2021 - 7:15 a.m.

CVE-2021-20827

2021-12-2407:15:06

CWE-312

jpcert

web.nvd.nist.gov

ide plcs

plaintext storage

password vulnerability

cve-2021-20827

security

idec plcs

windldr

windedit lite

data file manager

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.5

Confidence

High

EPSS

0.002

Percentile

55.6%

JSON

Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted.

Affected configurations

Nvd

Vulners

Node

idecmicrosmart_fc6a_firmwareRange≤2.32

AND

idecmicrosmart_fc6aMatch-

Node

idecmicrosmart_plus_fc6a_firmwareRange≤1.91

AND

idecmicrosmart_plus_fc6aMatch-

Node

idecdata_file_managerRange≤2.12.1

idecwindeditRange≤1.3.1

idecwindldrRange≤8.19.1

VendorProductVersionCPE
idecmicrosmart_fc6a_firmware*cpe:2.3:o:idec:microsmart_fc6a_firmware:*:*:*:*:*:*:*:*
idecmicrosmart_fc6a-cpe:2.3:h:idec:microsmart_fc6a:-:*:*:*:*:*:*:*
idecmicrosmart_plus_fc6a_firmware*cpe:2.3:o:idec:microsmart_plus_fc6a_firmware:*:*:*:*:*:*:*:*
idecmicrosmart_plus_fc6a-cpe:2.3:h:idec:microsmart_plus_fc6a:-:*:*:*:*:*:*:*
idecdata_file_manager*cpe:2.3:a:idec:data_file_manager:*:*:*:*:*:*:*:*
idecwindedit*cpe:2.3:a:idec:windedit:*:*:*:*:*:*:*:*
idecwindldr*cpe:2.3:a:idec:windldr:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
idec	microsmart_fc6a_firmware	*	cpe:2.3:o:idec:microsmart_fc6a_firmware::::::::
idec	microsmart_fc6a	-	cpe:2.3:h:idec:microsmart_fc6a:-:::::::*
idec	microsmart_plus_fc6a_firmware	*	cpe:2.3:o:idec:microsmart_plus_fc6a_firmware::::::::
idec	microsmart_plus_fc6a	-	cpe:2.3:h:idec:microsmart_plus_fc6a:-:::::::*
idec	data_file_manager	*	cpe:2.3:a:idec:data_file_manager::::::::
idec	windedit	*	cpe:2.3:a:idec:windedit::::::::
idec	windldr	*	cpe:2.3:a:idec:windldr::::::::

CNA Affected

[
  {
    "product": "IDEC PLC",
    "vendor": "IDEC Corporation",
    "versions": [
      {
        "status": "affected",
        "version": "FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier"
      }
    ]
  }
]

References

jvn.jp/en/vu/JVNVU92279973/index.html

www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.5

Confidence

High

EPSS

0.002

Percentile

55.6%

JSON

Related for CVE-2021-20827