Vulnerability-Lookup

CNVD-2021-33240

Vulnerability from cnvd - Published: 2021-05-08

Title

Motorola MH702信任管理问题漏洞

Description

Motorola MH702是美国摩托罗拉（Motorola）公司的一个路由器。 Motorola MH702x devices 2.0.0.301之前版本存在信任管理问题漏洞，该漏洞源于与支持服务器通信时未能正确验证服务器证书，攻击者可利用该漏洞访问通信通道。

Severity

高

Patch Name

Motorola MH702信任管理问题漏洞的补丁

Patch Description

Motorola MH702是美国摩托罗拉（Motorola）公司的一个路由器。 Motorola MH702x devices 2.0.0.301之前版本存在信任管理问题漏洞，该漏洞源于与支持服务器通信时未能正确验证服务器证书，攻击者可利用该漏洞访问通信通道。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接：https://motorolamentor.zendesk.com/hc/en-us/articles/1260804087249

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-3460

Impacted products

Name
Motorola MH702x device <2.0.0.301

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-3460",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-3460"
    }
  },
  "description": "Motorola MH702\u662f\u7f8e\u56fd\u6469\u6258\u7f57\u62c9\uff08Motorola\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u8def\u7531\u5668\u3002\n\nMotorola MH702x devices 2.0.0.301\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4e0e\u652f\u6301\u670d\u52a1\u5668\u901a\u4fe1\u65f6\u672a\u80fd\u6b63\u786e\u9a8c\u8bc1\u670d\u52a1\u5668\u8bc1\u4e66\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u901a\u4fe1\u901a\u9053\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1ahttps://motorolamentor.zendesk.com/hc/en-us/articles/1260804087249",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-33240",
  "openTime": "2021-05-08",
  "patchDescription": "Motorola MH702\u662f\u7f8e\u56fd\u6469\u6258\u7f57\u62c9\uff08Motorola\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u8def\u7531\u5668\u3002\r\n\r\nMotorola MH702x devices 2.0.0.301\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4e0e\u652f\u6301\u670d\u52a1\u5668\u901a\u4fe1\u65f6\u672a\u80fd\u6b63\u786e\u9a8c\u8bc1\u670d\u52a1\u5668\u8bc1\u4e66\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u901a\u4fe1\u901a\u9053\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Motorola MH702\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Motorola MH702x device \u003c2.0.0.301"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-3460",
  "serverity": "\u9ad8",
  "submitTime": "2021-05-06",
  "title": "Motorola MH702\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2021-3460 (GCVE-0-2021-3460)

Vulnerability from cvelistv5 – Published: 2021-04-13 20:41 – Updated: 2024-08-03 16:53

Summary

The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-295 - Improper Certificate Validation

Assigner

lenovo

References

1 reference

URL	Tags
https://motorolamentor.zendesk.com/hc/en-us/artic…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Motorola	MH702x	Affected: unspecified , < 2.0.0.301 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:53:17.619Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://motorolamentor.zendesk.com/hc/en-us/articles/1260804087249"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MH702x",
          "vendor": "Motorola",
          "versions": [
            {
              "lessThan": "2.0.0.301",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295 Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-13T20:41:43.000Z",
        "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "shortName": "lenovo"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://motorolamentor.zendesk.com/hc/en-us/articles/1260804087249"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update Motorola MH702x devices to firmware version 2.0.0.301."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@lenovo.com",
          "ID": "CVE-2021-3460",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "MH702x",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.0.0.301"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Motorola"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-295 Improper Certificate Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://motorolamentor.zendesk.com/hc/en-us/articles/1260804087249",
              "refsource": "MISC",
              "url": "https://motorolamentor.zendesk.com/hc/en-us/articles/1260804087249"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update Motorola MH702x devices to firmware version 2.0.0.301."
          }
        ],
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
    "assignerShortName": "lenovo",
    "cveId": "CVE-2021-3460",
    "datePublished": "2021-04-13T20:41:43.000Z",
    "dateReserved": "2021-03-22T00:00:00.000Z",
    "dateUpdated": "2024-08-03T16:53:17.619Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-33240

CVE-2021-3460 (GCVE-0-2021-3460)

Tags

Sightings

Nomenclature