CVE-2021-41104 - OpenCVE

ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Esphome	Esphome Firmware
Espressif	Esp8266 Esp32

Configuration 1 [-]

AND

cpe:2.3:o:esphome:esphome_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:espressif:esp32:-:::::::*
	cpe:2.3:h:espressif:esp8266:-:::::::*

References

Link	Resource
https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e	Patch Third Party Advisory
https://github.com/esphome/esphome/releases/tag/2021.9.2	Release Notes Third Party Advisory
https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-09-28T15:15:11

Updated: 2021-09-28T15:15:11

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41104

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-09-28T16:15:08.413

Modified: 2021-10-07T14:13:41.657

Link: CVE-2021-41104

JSON object: View

Redhat Information

No data.

CWE

CWE-306

{"containers": {"cna": {"affected": [{"product": "esphome", "vendor": "esphome", "versions": [{"status": "affected", "version": "< 2021.9.2"}]}], "descriptions": [{"lang": "en", "value": "ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-28T15:15:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/esphome/esphome/releases/tag/2021.9.2"}], "source": {"advisory": "GHSA-48mj-p7x2-5jfm", "discovery": "UNKNOWN"}, "title": "web_server allows OTA update without checking user defined basic auth username & password", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41104", "STATE": "PUBLIC", "TITLE": "web_server allows OTA update without checking user defined basic auth username & password"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "esphome", "version": {"version_data": [{"version_value": "< 2021.9.2"}]}}]}, "vendor_name": "esphome"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-306: Missing Authentication for Critical Function"}]}]}, "references": {"reference_data": [{"name": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm", "refsource": "CONFIRM", "url": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm"}, {"name": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e", "refsource": "MISC", "url": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e"}, {"name": "https://github.com/esphome/esphome/releases/tag/2021.9.2", "refsource": "MISC", "url": "https://github.com/esphome/esphome/releases/tag/2021.9.2"}]}, "source": {"advisory": "GHSA-48mj-p7x2-5jfm", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41104", "datePublished": "2021-09-28T15:15:11", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2021-09-28T15:15:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:esphome:esphome_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "731C3CD3-0010-4AD8-9622-D7B79FB08EE5", "versionEndExcluding": "2021.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*", "matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C", "vulnerable": false}, {"criteria": "cpe:2.3:h:espressif:esp8266:-:*:*:*:*:*:*:*", "matchCriteriaId": "0A1C8D90-B27E-4E82-8A72-E1FF3FABA1A0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "ESPHome is a system to control the ESP8266/ESP32. Anyone with web_server enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which `web_server` allows over-the-air (OTA) updates without checking user defined basic auth username & password. This issue is patched in version 2021.9.2. As a workaround, one may disable or remove `web_server`."}, {"lang": "es", "value": "ESPHome es un sistema para controlar el ESP8266/ESP32. Cualquiera que tenga web_server habilitado y la autenticaci\u00f3n b\u00e1sica HTTP configurada en la versi\u00f3n 2021.9.1 o anterior, es vulnerable a un problema en el que \"web_server\" permite actualizaciones over-the-air (OTA) sin comprobar el nombre de usuario y la contrase\u00f1a de autenticaci\u00f3n b\u00e1sica definidos por el usuario. Este problema ha sido parcheado en la versi\u00f3n 2021.9.2. Como soluci\u00f3n, se puede deshabilitar o eliminar \"web_server\""}], "id": "CVE-2021-41104", "lastModified": "2021-10-07T14:13:41.657", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-09-28T16:15:08.413", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/esphome/esphome/pull/2409/commits/207cde1667d8c799a197b78ca8a5a14de8d5ca1e"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/esphome/esphome/releases/tag/2021.9.2"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/esphome/esphome/security/advisories/GHSA-48mj-p7x2-5jfm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Secondary"}]}