CVE-2021-43990 - OpenCVE

The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:H/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Fanuc	Roboguide

Configuration 1 [-]

cpe:2.3:a:fanuc:roboguide:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-109-03	Patch Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2022-04-19T00:00:00

Updated: 2022-04-20T15:30:28

Reserved: 2021-11-17T00:00:00

Link: CVE-2021-43990

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-04-20T16:15:08.250

Modified: 2022-10-17T18:12:56.867

Link: CVE-2021-43990

JSON object: View

Redhat Information

No data.

CWE

CWE-611

{"containers": {"cna": {"affected": [{"product": "ROBOGUIDE", "vendor": "FANUC", "versions": [{"lessThan": "v9.40083.00.05 (Rev T)", "status": "affected", "version": "All", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Sharon Brizinov with Claroty reported these vulnerabilities to CISA."}], "datePublic": "2022-04-19T00:00:00", "descriptions": [{"lang": "en", "value": "The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference ('XXE')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-20T15:30:28", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-109-03"}], "solutions": [{"lang": "en", "value": "FANUC has created a new version to address these vulnerabilities. Users may obtain and install the new version by downloading ROBOGUIDE v9 Rev U or higher from the FANUC or FANUC America website (login required)."}], "source": {"advisory": "ICSA-22-109-03", "discovery": "EXTERNAL"}, "title": "ICSA-22-109-03 FANUC ROBOGUIDE Simulation Platform", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-04-19T21:16:00.000Z", "ID": "CVE-2021-43990", "STATE": "PUBLIC", "TITLE": "ICSA-22-109-03 FANUC ROBOGUIDE Simulation Platform"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ROBOGUIDE", "version": {"version_data": [{"version_affected": "<", "version_name": "All", "version_value": "v9.40083.00.05 (Rev T)"}]}}]}, "vendor_name": "FANUC"}]}}, "credit": [{"lang": "eng", "value": "Sharon Brizinov with Claroty reported these vulnerabilities to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-611 Improper Restriction of XML External Entity Reference ('XXE')"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-109-03", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-109-03"}]}, "solution": [{"lang": "en", "value": "FANUC has created a new version to address these vulnerabilities. Users may obtain and install the new version by downloading ROBOGUIDE v9 Rev U or higher from the FANUC or FANUC America website (login required)."}], "source": {"advisory": "ICSA-22-109-03", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-43990", "datePublished": "2022-04-19T00:00:00", "dateReserved": "2021-11-17T00:00:00", "dateUpdated": "2022-04-20T15:30:28", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fanuc:roboguide:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5DCFBBA-2822-484C-8153-8B6EE8E4322F", "versionEndIncluding": "9.40083.00.05", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call."}, {"lang": "es", "value": "El producto afectado es vulnerable a un ataque basado en la red por parte de actores de amenazas que suministran una carga \u00fatil XML maliciosa y dise\u00f1ada para desencadenar una llamada de referencia a una entidad externa"}], "id": "CVE-2021-43990", "lastModified": "2022-10-17T18:12:56.867", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.0, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2022-04-20T16:15:08.250", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Patch", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-109-03"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}