Lucene search

KrcertCVELIST:CVE-2021-26637

HistoryJun 22, 2022 - 1:55 p.m.

CVE-2021-26637 SiHAS Improper Authentication vulnerability

2022-06-2213:55:58

CWE-287

krcert

www.cve.org

sihas

authentication

vulnerability

firmware

remote control

CVSS3

8.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

56.3%

JSON

There is no account authentication and permission check logic in the firmware and existing apps of SiHAS’s SGW-300, ACM-300, GCM-300, so unauthorized users can remotely control the device.

CNA Affected

[
  {
    "platforms": [
      "Android, iOS"
    ],
    "product": "SiHAS firmware",
    "vendor": "Shina System Co.,Ltd",
    "versions": [
      {
        "status": "affected",
        "version": "1.xx"
      }
    ]
  },
  {
    "platforms": [
      "Android, iOS"
    ],
    "product": "SiHAS old app",
    "vendor": "Shina System Co.,Ltd",
    "versions": [
      {
        "status": "affected",
        "version": "old app"
      }
    ]
  }
]

References

www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66782

CVSS3

8.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

56.3%

JSON

Related for CVELIST:CVE-2021-26637