CVE-2021-22764 - OpenCVE

A CWE-287: Improper Authentication vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could cause loss of connectivity to the device via Modbus TCP protocol when an attacker sends a specially crafted HTTP request.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	Powerlogic Pm5563 Powerlogic Pm5563 Firmware Powerlogic Pm5561 Firmware Powerlogic Pm5562 Firmware Powerlogic Pm5561 Powerlogic Pm5560 Powerlogic Pm5560 Firmware Powerlogic Pm5562

Configuration 1 [-]

AND

cpe:2.3:o:schneider-electric:powerlogic_pm5560_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:powerlogic_pm5560:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:schneider-electric:powerlogic_pm5561_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:powerlogic_pm5561:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:schneider-electric:powerlogic_pm5562_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:powerlogic_pm5562:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:schneider-electric:powerlogic_pm5563_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:powerlogic_pm5563:-:*:*:*:*:*:*:*

References

Link	Resource
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-02%2Chttp://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2021-06-11T15:40:47

Updated: 2021-06-11T15:40:47

Reserved: 2021-01-06T00:00:00

Link: CVE-2021-22764

JSON object: View

NVD Information

Status : Modified

Published: 2021-06-11T16:15:10.390

Modified: 2023-11-07T03:30:25.010

Link: CVE-2021-22764

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "PowerLogic PM55xx, PowerLogic EGX100, and PowerLogic EGX300 (see security notification for version infromation) ", "vendor": "n/a", "versions": [{"status": "affected", "version": "PowerLogic PM55xx, PowerLogic EGX100, and PowerLogic EGX300 (see security notification for version infromation)"}]}], "descriptions": [{"lang": "en", "value": "A CWE-287: Improper Authentication vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could cause loss of connectivity to the device via Modbus TCP protocol when an attacker sends a specially crafted HTTP request."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287: Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-11T15:40:47", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-02%2Chttp://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "ID": "CVE-2021-22764", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PowerLogic PM55xx, PowerLogic EGX100, and PowerLogic EGX300 (see security notification for version infromation) ", "version": {"version_data": [{"version_value": "PowerLogic PM55xx, PowerLogic EGX100, and PowerLogic EGX300 (see security notification for version infromation)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CWE-287: Improper Authentication vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could cause loss of connectivity to the device via Modbus TCP protocol when an attacker sends a specially crafted HTTP request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287: Improper Authentication"}]}]}, "references": {"reference_data": [{"name": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-02,http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03", "refsource": "MISC", "url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-02,http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"}]}}}}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2021-22764", "datePublished": "2021-06-11T15:40:47", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2021-06-11T15:40:47", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:powerlogic_pm5560_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F8EC9ED-1E27-40B8-84A8-F66BC9FD0803", "versionEndExcluding": "2.7.8", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:powerlogic_pm5560:-:*:*:*:*:*:*:*", "matchCriteriaId": "6DDB1B76-3862-462E-B55D-875EBE508B92", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:powerlogic_pm5561_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE3EFC50-39EA-4029-9713-9D191357DD29", "versionEndExcluding": "10.7.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:powerlogic_pm5561:-:*:*:*:*:*:*:*", "matchCriteriaId": "00D6C9E0-7DB3-4742-86F0-3430E99D1B1D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:powerlogic_pm5562_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "FDBB46A2-4EAD-41DA-AC02-5E985EB755A1", "versionEndIncluding": "2.5.4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:powerlogic_pm5562:-:*:*:*:*:*:*:*", "matchCriteriaId": "55D7896E-3EFA-4632-B0D2-273084D56936", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:powerlogic_pm5563_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E870589-0ADF-4B76-89CF-2D36F5C61CF0", "versionEndExcluding": "2.7.8", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:powerlogic_pm5563:-:*:*:*:*:*:*:*", "matchCriteriaId": "C5D4C9C4-C258-453B-85E4-893978D6C499", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A CWE-287: Improper Authentication vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could cause loss of connectivity to the device via Modbus TCP protocol when an attacker sends a specially crafted HTTP request."}, {"lang": "es", "value": "Un CWE-287: Se presenta una vulnerabilidad de autenticaci\u00f3n inapropiada en PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 y PowerLogic EGX300 (v\u00e9ase la notificaci\u00f3n de seguridad para obtener informaci\u00f3n sobre la versi\u00f3n) que podr\u00eda causar la p\u00e9rdida de conectividad con el dispositivo por medio del protocolo Modbus TCP cuando un atacante env\u00eda una petici\u00f3n HTTP especialmente dise\u00f1ada"}], "id": "CVE-2021-22764", "lastModified": "2023-11-07T03:30:25.010", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-11T16:15:10.390", "references": [{"source": "cybersecurity@se.com", "url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-02%2Chttp://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "cybersecurity@se.com", "type": "Primary"}]}