ID CVE-2021-21905 Type cve Reporter talos-cna@cisco.com Modified 2022-04-28T17:15:00
Description
Stack-based buffer overflow vulnerability exists in how the CMA readfile function of Garrett Metal Detectors iC Module CMA Version 5.0 is used at various locations. The Garrett iC Module exposes an authenticated CLI over TCP port 6877. This interface is used by a secondary GUI client, called “CMA Connect”, to interact with the iC Module on behalf of the user. After a client successfully authenticates, they can send plaintext commands to manipulate the device.
{"id": "CVE-2021-21905", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-21905", "description": "Stack-based buffer overflow vulnerability exists in how the CMA readfile function of Garrett Metal Detectors iC Module CMA Version 5.0 is used at various locations. The Garrett iC Module exposes an authenticated CLI over TCP port 6877. This interface is used by a secondary GUI client, called \u201cCMA Connect\u201d, to interact with the iC Module on behalf of the user. After a client successfully authenticates, they can send plaintext commands to manipulate the device.", "published": "2021-12-22T19:15:00", "modified": "2022-04-28T17:15:00", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 8.5}, "severity": "HIGH", "exploitabilityScore": 6.8, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21905", "reporter": "talos-cna@cisco.com", "references": ["https://talosintelligence.com/vulnerability_reports/TALOS-2021-1357"], "cvelist": ["CVE-2021-21905"], "immutableFields": [], "lastseen": "2022-04-28T19:26:58", "viewCount": 16, "enchantments": {"dependencies": {"references": [{"type": "talos", "idList": ["TALOS-2021-1357"]}, {"type": "thn", "idList": ["THN:C4A5E8227873000F2064FD245256AC03"]}], "rev": 4}, "score": {"value": 3.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "talos", "idList": ["TALOS-2021-1357"]}, {"type": "thn", "idList": ["THN:C4A5E8227873000F2064FD245256AC03"]}]}, "exploitation": null, "vulnersScore": 3.3}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": "Talos", "cvss": {"3": {"vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "score": 8.2}}}, "cpe": ["cpe:/o:garrett:ic_module_cma:5.0"], "cpe23": ["cpe:2.3:o:garrett:ic_module_cma:5.0:*:*:*:*:*:*:*"], "cwe": ["CWE-787"], "affectedSoftware": [{"cpeName": "garrett:ic_module_cma", "version": "5.0", "operator": "eq", "name": "garrett ic module cma"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:garrett:ic_module_cma:5.0:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1357", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1357", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"talos": [{"lastseen": "2022-01-26T11:40:18", "description": "### Summary\n\nTwo stack-based buffer overflow vulnerabilities exist in how the CMA readfile function of Garrett Metal Detectors iC Module CMA Version 5.0 is used at various locations. Convincing the system to call `readfile` on a specially-crafted file can lead to stack-based buffer overflows. An attacker can upload a malicious file to trigger these vulnerabilities.\n\n### Tested Versions\n\nGarrett Metal Detectors iC Module CMA Version 5.0\n\n### Product URLs\n\n<https://garrett.com/security/walk-through/accessories>\n\n### CVSSv3 Score\n\n8.2 - CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\n\n### CWE\n\nCWE-121 - Stack-based Buffer Overflow\n\n### Details\n\nThe Garrett iC Module provides network connectivity to either the Garrett PD 6500i or Garrett MZ 6100 models of walk-through metal detectors. This module enables a remote user to monitor statistics such as alarm and visitor counts in real time as well as make configuration changes to metal detectors.\n\nThe CMA software implements a function, `readfile` for reading arbitrary files into character buffers. An approximate decompilation of this function has been included below, for reference.\n \n \n int __cdecl readfile(unsigned __int8 *filepath, unsigned __int8 *fileContent)\n {\n int v3; // r3\n int c; // [sp+Ch] [bp-10h]\n FILE *f; // [sp+10h] [bp-Ch]\n int index; // [sp+14h] [bp-8h]\n \n index = 0;\n f = fopen((const char *)filepath, \"r\");\n if ( f )\n {\n while ( 1 )\n {\n c = fgetc(f);\n if ( c == -1 )\n break;\n if ( c == '\\n' && fileContent[index - 1] != '\\r' )\n {\n v3 = index++;\n fileContent[v3] = '\\r';\n }\n fileContent[index++] = c;\n }\n fileContent[index] = 0;\n fclose(f);\n return index;\n }\n else\n {\n strcpy((char *)fileContent, \"#>File not found\\r\\n\");\n return -1;\n }\n }\n \n\nThis function expects to receive a filepath parameter and a character array in which to place the contents of the requested file. At no point does the function have knowledge of the length of the provided buffer. It will simply copy, byte by byte, (with a slight unix2dos style adjustment for newline characters) the contents of the file into the buffer, without any bounds checking. If a user can control the file being read, there is a high likelihood of stack corruption and potential remote code execution. Below are three locations in the code base where this vulnerability can be exploited by an attacker.\n\n#### CVE-2021-21905 - get_ip stack-based buffer overflow\n\nThe Garrett iC Module exposes an authenticated CLI over TCP port 6877. This interface is used by a secondary GUI client, called \u201cCMA Connect\u201d, to interact with the iC Module on behalf of the user. After a client successfully authenticates, they can send plaintext commands to manipulate the device. This CLI is how the \u201cCMA Connect\u201d software invokes the majority of its functionality when getting and setting various device configurations.\n\nThe software that implements the command line interface exposes a command, `ipconfig`, that allows an authenticated user to get and set network-related information.\n\nWhen operating as expected, the `ipconfig` command returns data similar to the following.\n \n \n ipconfig\n ##\n #Hostname\t : cma-0080a38b48b3\n #Current IP\t : 192.168.0.192\n #Default Gateway : \n #Subnet Mask\t : 255.255.255.0\n #MAC Address : 00:80:a3:8b:48:b3\n #Primary DNS\t :\n #Secondary DNS\t :\n #.\n \n\nThis information is collected via a series of calls to functions such as `get_hostname`, `get_ip`, `get_gateway`, `get_subnet`, etc. For reference, an approximate decompilation of a portion of the `handle_ipconfig` function is included below. For brevity, functionality that was not relevant to the vulnerability (such as logging, error handling and remote client interaction) has been excluded.\n \n \n void __cdecl handle_ipconfig(uint8_t argc, unsigned __int8 **argv, client_6877 *client)\n {\n uint16_t v3; // r0\n uint16_t v4; // r0\n uint16_t v5; // r0\n size_t v6; // r0\n size_t v7; // r0\n size_t v8; // r0\n size_t v9; // r0\n size_t v10; // r0\n size_t v11; // r0\n size_t v12; // r0\n size_t v13; // r0\n size_t v14; // r0\n uint8_t interface[5]; // [sp+1Ch] [bp-C8h] BYREF\n unsigned __int8 mask_input[16]; // [sp+24h] [bp-C0h] BYREF\n unsigned __int8 dg_input[16]; // [sp+34h] [bp-B0h] BYREF\n unsigned __int8 ip_input[16]; // [sp+44h] [bp-A0h] BYREF\n uint8_t tmp_buf[124]; // [sp+54h] [bp-90h] BYREF\n uint8_t has_mask; // [sp+D2h] [bp-12h]\n uint8_t has_dg; // [sp+D3h] [bp-11h]\n uint8_t has_ip; // [sp+D4h] [bp-10h]\n uint8_t has_interface; // [sp+D5h] [bp-Fh]\n uint8_t i; // [sp+D6h] [bp-Eh]\n uint8_t family; // [sp+D7h] [bp-Dh]\n \n ...\n \n get_hostname(tmp_buf, 0x7Cu);\n sprintf((char *)tx_buffer, \"\\r\\n##\\r\\n#Hostname\\t : %s\\r\\n\", (const char *)tmp_buf);\n v6 = strlen((const char *)tx_buffer);\n reply(tx_buffer, v6, client);\n memset(tmp_buf, 0, sizeof(tmp_buf));\n get_ip(family, interface, tmp_buf); [1] get_ip can be coerced to write arbitrarily long strings into tmp_buf\n sprintf((char *)tx_buffer, \"#Current IP\\t : %s\", (const char *)tmp_buf);\n if ( family == 2 && is_dhcp_enabled(interface) || family == 10 && is_dhcp6_enabled(interface) )\n strcat((char *)tx_buffer, \" <DHCP>\");\n strcat((char *)tx_buffer, \"\\r\\n\");\n v7 = strlen((const char *)tx_buffer);\n reply(tx_buffer, v7, client);\n memset(tmp_buf, 0, sizeof(tmp_buf));\n get_gateway(interface, tmp_buf, 0x7Cu);\n sprintf((char *)tx_buffer, \"#Default Gateway : %s\\r\\n\", (const char *)tmp_buf);\n v8 = strlen((const char *)tx_buffer);\n reply(tx_buffer, v8, client);\n memset(tmp_buf, 0, sizeof(tmp_buf));\n get_subnet(interface, client->ipv6, tmp_buf, 0x7Cu);\n sprintf((char *)tx_buffer, \"#Subnet Mask\\t : %s\\r\\n\", (const char *)tmp_buf);\n \n ...\n }\n \n\nOf particular interest to this vulnerability is the implementation of `get_ip`, which can be coerced to copy arbitrarily long strings into `tmp_buf` through an unsafe call to `readfile`.\n\nAn approximate decompilation of the relevant portion of `get_ip` is included below, for reference.\n \n \n int __cdecl get_ip(int ipType, uint8_t *interface, uint8_t *dest)\n {\n socklen_t v4; // r2\n const char *v5; // r0\n size_t v6; // r0\n unsigned __int8 host[1025]; // [sp+20h] [bp-424h] BYREF\n ifaddrs *ifaddr; // [sp+424h] [bp-20h] BYREF\n int s; // [sp+428h] [bp-1Ch]\n int family; // [sp+42Ch] [bp-18h]\n int n; // [sp+430h] [bp-14h]\n ifaddrs *ifa; // [sp+434h] [bp-10h]\n \n if ( file_exists(\"/ltrx_user/env/public_ip\") )\n {\n readfile(\"/ltrx_user/env/public_ip\", dest);\n dest[strcspn((const char *)dest, \"\\r\\n\")] = 0;\n puts(\"Getting public IP from environment variable\");\n return 1;\n }\n ...\n }\n \n\nIf the application \u201cenvironment variable\u201d `public_ip` has been previously configured by the user, then that user-controlled value will be read directly into the `dest` buffer (the `tmp_buf[124]` buffer) without regard to the length of the `public_ip` \u201cenvironment variable\u201d. An attacker who uses `setenv public_ip [value]` to create a significantly long enough `public_ip` \u201cenvironment variable\u201d can cause a buffer-overflow by calling `ipconfig` and corrupting the stack during the call to `handle_ipconfig`. This buffer overflow results in attacker control of the program counter, and thus remote code execution, as shown in the debugger output below.\n\n#### Crash Information\n \n \n Thread 6 \"cma\" received signal SIGSEGV, Segmentation fault.\n 0x41414140 in ?? ()\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\n $r0 : 0x1e \n $r1 : 0x0 \n $r2 : 0xd707d3d8\n $r3 : 0x0 \n $r4 : 0x41414141 (\"AAAA\"?)\n $r5 : 0x200 \n $r6 : 0x0 \n $r7 : 0xb47fea88 \u2192 0xb47fec48 \u2192 \"ipconfig\"\n $r8 : 0xb5313a98 \u2192 0x00000000\n $r9 : 0xb5314920 \u2192 0x00049258 \u2192 0x00000001\n $r10 : 0xb47ff460 \u2192 0x00000001\n $r11 : 0x41414141 (\"AAAA\"?)\n $r12 : 0xa \n $sp : 0xb47fea40 \u2192 \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]\"\n $lr : 0x00014e00 \u2192 <reply+76> sub sp, r11, #4\n $pc : 0x41414140 (\"@AAA\"?)\n $cpsr: [negative ZERO CARRY overflow interrupt fast THUMB]\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:arm:THUMB \u2500\u2500\u2500\u2500\n [!] Cannot disassemble from $PC\n [!] Cannot access memory at address 0x41414140\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \n\n#### Exploit Proof of Concept\n \n \n setenv public_ip AAAAAAAAA...\n ipconfig\n \n\n#### CVE-2021-21906 - checkPassword stack-based buffer overflow\n\nEvery time a user submits a password to the CLI password prompt, the buffer containing their input is passed as the `password` parameter to the `checkPassword` function. An approximate decompilation of this function has been included below, for reference.\n \n \n int __cdecl checkPassword(unsigned __int8 *password)\n {\n char *v1; // r0\n char *v2; // r0\n uint8_t filename[18]; // [sp+8h] [bp-64h] BYREF\n uint8_t encrypted_input[35]; // [sp+1Ch] [bp-50h] BYREF\n uint8_t encrypted_pwd[35]; // [sp+40h] [bp-2Ch] BYREF\n int retval; // [sp+64h] [bp-8h]\n \n retval = 0;\n strcpy((char *)filename, \"/ltrx_user/secret\");\n v1 = crypt((const char *)password, \"$1$gmd$\");\n strcpy((char *)encrypted_input, v1);\n if ( file_exists(filename) )\n {\n readfile(filename, encrypted_pwd);\n if ( !strcmp((const char *)encrypted_pwd, (const char *)encrypted_input) )\n return 1;\n }\n else\n {\n v2 = crypt(\"5678\", \"$1$gmd$\");\n if ( !strcmp(v2, (const char *)encrypted_input) )\n return 1;\n }\n return retval;\n }\n \n\nThe password for the iC Module is stored in the `/ltrx_user/secret` file. When the function is called, the user-supplied password is cryptographically hashed, and the result is compared to the contents of the `/ltrx_user/secret` file. The contents of this file are fetched using a vulnerable call to `readfile`. The supplied buffer to receive the file contents, `encrypted_pwd`, is only 35 bytes long. If an attacker can alter the contents of this file (for example, using TALOS-2021-1356) then they can corrupt the stack during future authentication attempts. This buffer overflow results in attacker control of the program counter, and thus remote code execution, as shown in the debugger output below.\n\n#### Crash Information\n \n \n Thread 5 \"cma\" received signal SIGSEGV, Segmentation fault.\n 0x41414140 in ?? ()\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\n $r0 : 0x41414141 (\"AAAA\"?)\n $r1 : 0xb5330371 \u2192 0xff000000\n $r2 : 0x2e \n $r3 : 0x41414141 (\"AAAA\"?)\n $r4 : 0x00045236 \u2192 0x00000000\n $r5 : 0xffffffff\n $r6 : 0x0 \n $r7 : 0x152 \n $r8 : 0xbeb47cc0 \u2192 0xb6fbd6d0 \u2192 0xb6fbddb8 \u2192 0x00000001\n $r9 : 0xb6fbd6d0 \u2192 0xb6fbddb8 \u2192 0x00000001\n $r10 : 0xb5331460 \u2192 0x00000001\n $r11 : 0x41414141 (\"AAAA\"?)\n $r12 : 0x00042aa8 \u2192 0xb6bbbfe0 \u2192 <strcmp+0> ldrb r3, [r0], #1\n $sp : 0xb53303a8 \u2192 \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]\"\n $lr : 0x000223fc \u2192 <checkPassword+148> mov r3, r0\n $pc : 0x41414140 (\"@AAA\"?)\n $cpsr: [negative zero CARRY overflow interrupt fast THUMB]\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:arm:THUMB \u2500\u2500\u2500\u2500\n [!] Cannot disassemble from $PC\n [!] Cannot access memory at address 0x41414140\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n \n\n### Timeline\n\n2021-08-17 - Vendor Disclosure \n2021-11-10 - Talos granted disclosure extension \n2021-12-13 - Vendor patched \n2021-12-15 - Talos tested patch \n2021-12-20 - Public Release\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-20T00:00:00", "type": "talos", "title": "Garrett Metal Detectors iC Module CMA CLI readfile stack-based buffer overflow vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21905", "CVE-2021-21906"], "modified": "2021-12-20T00:00:00", "id": "TALOS-2021-1357", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1357", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:37:47", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgG4axdJLFdEHgv0R3gB2_3-xIFpTNQvHSsGK6Fo8aACr-2RP3QPnGdttSiQtuYg3qCfj1ejXjgUesiZ84km45WnTAdKNM1eFvvkP7zPSf7_6U6prNhE4PlD1QOw_KPwwmkqftYzuMzs_3aqzR9nWIxPkFDHpTpxsVlppRxwwgtMDBGubgDVS_QSlLj>)\n\nA number of security flaws have been uncovered in a networking component in Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, tamper with metal detector configurations, and even execute arbitrary code on the devices.\n\n\"An attacker could manipulate this module to remotely monitor statistics on the metal detector, such as whether the alarm has been triggered or how many visitors have walked through,\" Cisco Talos[ noted](<https://blog.talosintelligence.com/2021/12/vuln-spotlight-garrett-metal-detector.html>) in a disclosure publicized last week. \"They could also make configuration changes, such as altering the sensitivity level of a device, which potentially poses a security risk to users who rely on these metal detectors.\"\n\nTalos security researcher Matt Wiseman has been credited with discovering and reporting these vulnerabilities on August 17, 2021. Patches have been released by the vendor on December 13, 2021.\n\nThe flaws reside in Garrett[ iC Module](<https://garrett.com/security/walk-through/accessories>), which enables users to communicate to walk-through metal detectors like Garrett PD 6500i or Garrett MZ 6100 using a computer through the network, either wired or wirelessly. It allows customers to control and monitor the devices from a remote location in real-time.\n\nThe list of security vulnerabilities is below \u2013\n\n * [CVE-2021-21901](<https://nvd.nist.gov/vuln/detail/CVE-2021-21901>) (CVSS score: 9.8),[ CVE-2021-21903](<https://nvd.nist.gov/vuln/detail/CVE-2021-21903>) (CVSS score: 9.8),[ CVE-2021-21905](<https://nvd.nist.gov/vuln/detail/CVE-2021-21905>), and[ CVE-2021-21906](<https://nvd.nist.gov/vuln/detail/CVE-2021-21906>) (CVSS scores: 8.2) - Stack-based buffer overflow vulnerabilities that can be triggered by sending a malicious packet to the device\n * [CVE-2021-21902](<https://nvd.nist.gov/vuln/detail/CVE-2021-21902>) (CVSS score: 7.5) - An authentication bypass vulnerability stemming from a race condition that can be triggered by sending a sequence of requests\n * [CVE-2021-21904](<https://nvd.nist.gov/vuln/detail/CVE-2021-21904>) (CVSS score: 9.1),[ CVE-2021-21907](<https://nvd.nist.gov/vuln/detail/CVE-2021-21907>) (CVSS score: 4.9),[ CVE-2021-21908](<https://nvd.nist.gov/vuln/detail/CVE-2021-21908>), and[ CVE-2021-21909](<https://nvd.nist.gov/vuln/detail/CVE-2021-21909>) (CVSS scores: 6.5) - Directory traversal vulnerabilities that could be exploited by sending specially crafted commands\n\nSuccessful exploitation of the aforementioned flaws in iC Module CMA version 5.0 could allow an attacker to hijack an authenticated user's session, read, write, or delete arbitrary files on the device, and worse, lead to remote code execution.\n\nIn light of the severity of the security vulnerabilities, users are highly recommended to update to the latest version of the firmware as soon as possible.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-27T12:06:00", "type": "thn", "title": "Garrett Walk-Through Metal Detectors Can Be Hacked Remotely", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21901", "CVE-2021-21902", "CVE-2021-21903", "CVE-2021-21904", "CVE-2021-21905", "CVE-2021-21906", "CVE-2021-21907", "CVE-2021-21908", "CVE-2021-21909"], "modified": "2021-12-28T09:32:41", "id": "THN:C4A5E8227873000F2064FD245256AC03", "href": "https://thehackernews.com/2021/12/garrett-walk-through-metal-detectors.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
