CVE-2021-26637 : There is no account authentication and permission check logic in the firmware an

There is no account authentication and permission check logic in the firmware and existing apps of SiHAS's SGW-300, ACM-300, GCM-300, so unauthorized users can remotely control the device.

Published 2022-06-23 17:15:11

Updated 2023-06-26 17:49:21

Source KrCERT/CC

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2021-26637

Shinasys » Sihas Sgw-300 Firmware » Version: N/A For Iphone Os
cpe:2.3:o:shinasys:sihas_sgw-300_firmware:-:*:*:*:*:iphone_os:*:*
Matching versions
When used together with: Shinasys » Sihas Sgw-300 » Version: N/A
Shinasys » Sihas Sgw-300 Firmware » Version: N/A For Android
cpe:2.3:o:shinasys:sihas_sgw-300_firmware:-:*:*:*:*:android:*:*
Matching versions
When used together with: Shinasys » Sihas Sgw-300 » Version: N/A
Shinasys » Sihas Acm-300 Firmware » Version: N/A For Iphone Os
cpe:2.3:o:shinasys:sihas_acm-300_firmware:-:*:*:*:*:iphone_os:*:*
Matching versions
When used together with: Shinasys » Sihas Acm-300 » Version: N/A
Shinasys » Sihas Acm-300 Firmware » Version: N/A For Android
cpe:2.3:o:shinasys:sihas_acm-300_firmware:-:*:*:*:*:android:*:*
Matching versions
When used together with: Shinasys » Sihas Acm-300 » Version: N/A
Shinasys » Sihas Gcm-300 Firmware » Version: N/A For Iphone Os
cpe:2.3:o:shinasys:sihas_gcm-300_firmware:-:*:*:*:*:iphone_os:*:*
Matching versions
When used together with: Shinasys » Sihas Gcm-300 » Version: N/A
Shinasys » Sihas Gcm-300 Firmware » Version: N/A For Android
cpe:2.3:o:shinasys:sihas_gcm-300_firmware:-:*:*:*:*:android:*:*
Matching versions
When used together with: Shinasys » Sihas Gcm-300 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2021-26637

EPSS FAQ

0.31%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 70 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-26637

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	KrCERT/CC
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-26637

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Assigned by:
- nvd@nist.gov (Primary)
- vuln@krcert.or.kr (Secondary)
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Assigned by: nvd@nist.gov (Primary)
CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-26637

https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66782

Security Advisory | KrCERT/CC - KISA 인터넷 보호나라&KrCERT
Broken Link;Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2021-26637

Products affected by CVE-2021-26637

Exploit prediction scoring system (EPSS) score for CVE-2021-26637

CVSS scores for CVE-2021-26637

CWE ids for CVE-2021-26637

References for CVE-2021-26637