CVE-2021-40341
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Summary
DES cipher, which has inadequate encryption strength, is used Hitachi Energy FOXMAN-UN to encrypt user credentials used to access the Network Elements. Successful exploitation allows sensitive information to be decrypted easily. This issue affects
- FOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C;
- UNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C.
List of CPEs:
- cpe:2.3:a:hitachienergy:foxman-un:R16A:::::::*
- cpe:2.3:a:hitachienergy:foxman-un:R15B:::::::*
- cpe:2.3:a:hitachienergy:foxman-un:R15A:::::::*
- cpe:2.3:a:hitachienergy:foxman-un:R14B:::::::*
- cpe:2.3:a:hitachienergy:foxman-un:R14A:::::::*
- cpe:2.3:a:hitachienergy:foxman-un:R11B:::::::*
- cpe:2.3:a:hitachienergy:foxman-un:R11A:::::::*
- cpe:2.3:a:hitachienergy:foxman-un:R10C:::::::*
- cpe:2.3:a:hitachienergy:foxman-un:R9C:::::::*
- cpe:2.3:a:hitachienergy:unem:R16A:::::::*
- cpe:2.3:a:hitachienergy:unem:R15B:::::::*
- cpe:2.3:a:hitachienergy:unem:R15A:::::::*
- cpe:2.3:a:hitachienergy:unem:R14B:::::::*
- cpe:2.3:a:hitachienergy:unem:R14A:::::::*
- cpe:2.3:a:hitachienergy:unem:R11B:::::::*
- cpe:2.3:a:hitachienergy:unem:R11A:::::::*
- cpe:2.3:a:hitachienergy:unem:R10C:::::::*
- cpe:2.3:a:hitachienergy:unem:R9C:::::::*
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Hitachi Energy | FOXMAN-UN | FOXMAN-UN R16A | affected |
| Hitachi Energy | FOXMAN-UN | FOXMAN-UN R15B | affected |
| Hitachi Energy | FOXMAN-UN | FOXMAN-UN R15A | affected |
| Hitachi Energy | FOXMAN-UN | FOXMAN-UN R14B | affected |
| Hitachi Energy | FOXMAN-UN | FOXMAN-UN R14A | affected |
| Hitachi Energy | FOXMAN-UN | FOXMAN-UN R11B | affected |
| Hitachi Energy | FOXMAN-UN | FOXMAN-UN R11A | affected |
| Hitachi Energy | FOXMAN-UN | FOXMAN-UN R10C | affected |
| Hitachi Energy | FOXMAN-UN | FOXMAN-UN R9C | affected |
| Hitachi Energy | UNEM | UNEM R16A | affected |
| Hitachi Energy | UNEM | UNEM R15B | affected |
| Hitachi Energy | UNEM | UNEM R15A | affected |
| Hitachi Energy | UNEM | UNEM R14B | affected |
| Hitachi Energy | UNEM | UNEM R14A | affected |
| Hitachi Energy | UNEM | UNEM R11B | affected |
| Hitachi Energy | UNEM | UNEM R11A | affected |
| Hitachi Energy | UNEM | UNEM R10C | affected |
| Hitachi Energy | UNEM | UNEM R9C | affected |
Weaknesses
- CWE-326: CWE-326 Inadequate Encryption Strength
Workarounds
The vulnerabilities are partially remediated in FOXMAN-UN R16A or UNEM R16A, the full remediation will be done in the upcoming release (planned).
For immediate recommended mitigation actions if using FOXMAN-UN R16A or UNEM R16A, please refer to the
Database contains credentials with weak encryption
clause of section Mitigation Factors/Workarounds in the respective products' advisory.
For immediate recommended mitigation actions if using FOXMAN-UN R15B or UNEM R15B and earlier, please refer to the multiple clauses of section Mitigation Factors/Workarounds in the advisory
- Secure the NMS CLIENT/SERVER communication.
- Embedded FOXCST with RADIUS authentication should be avoided.
- Database contains credentials with weak encryption.
ADP Enrichment
CVE Program Container
Additional References
- https://search.abb.com/library/Download.aspx?DocumentID=8DBD000083&LanguageCode=en&DocumentPartId=&Action=Launch
- https://search.abb.com/library/Download.aspx?DocumentID=8DBD000084&LanguageCode=en&DocumentPartId=&Action=Launch
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://search.abb.com/library/Download.aspx?DocumentID=8DBD000083&LanguageCode=en&DocumentPartId=&Action=Launch
- https://search.abb.com/library/Download.aspx?DocumentID=8DBD000084&LanguageCode=en&DocumentPartId=&Action=Launch
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.