CVE-2021-20859

CVSS V2 High 7.7 CVSS V3 High 8

Description

ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attacker to execute an arbitrary OS command via unspecified vectors.

Overview

CVE ID
CVE-2021-20859

Assigner
vultures@jpcert.or.jp

Vulnerability Status
Analyzed

Published Version
2021-12-01T03:15:07

Last Modified Date
2021-12-02T15:24:05

Weakness Enumerations

CWE	URL
CWE-78	http://cwe.mitre.org/data/definitions/78.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version End
		AND
cpe:2.3:o:elecom:wrc-1167gst2_firmware::::::::	1	OR	1.25
cpe:2.3:h:elecom:wrc-1167gst2:-:::::::*	0	OR
		AND
cpe:2.3:o:elecom:wrc-1167gst2a_firmware::::::::	1	OR	1.25
cpe:2.3:h:elecom:wrc-1167gst2a:-:::::::*	0	OR
		AND
cpe:2.3:o:elecom:wrc-1167gst2h_firmware::::::::	1	OR	1.25
cpe:2.3:h:elecom:wrc-1167gst2h:-:::::::*	0	OR
		AND
cpe:2.3:o:elecom:wrc-2533gs2-b_firmware::::::::	1	OR	1.52
cpe:2.3:h:elecom:wrc-2533gs2-b:-:::::::*	0	OR
		AND
cpe:2.3:o:elecom:wrc-2533gs2-w_firmware::::::::	1	OR	1.52
cpe:2.3:h:elecom:wrc-2533gs2-w:-:::::::*	0	OR
		AND
cpe:2.3:o:elecom:wrc-1750gs_firmware::::::::	1	OR	1.03
cpe:2.3:h:elecom:wrc-1750gs:-:::::::*	0	OR
		AND
cpe:2.3:o:elecom:wrc-1750gsv_firmware::::::::	1	OR	2.11
cpe:2.3:h:elecom:wrc-1750gsv:-:::::::*	0	OR
		AND
cpe:2.3:o:elecom:wrc-1900gst_firmware::::::::	1	OR	1.03
cpe:2.3:h:elecom:wrc-1900gst:-:::::::*	0	OR
		AND
cpe:2.3:o:elecom:wrc-2533gst_firmware::::::::	1	OR	1.03
cpe:2.3:h:elecom:wrc-2533gst:-:::::::*	0	OR
		AND
cpe:2.3:o:elecom:wrc-2533gst2_firmware::::::::	1	OR	1.25
cpe:2.3:h:elecom:wrc-2533gst2:-:::::::*	0	OR
		AND
cpe:2.3:o:elecom:wrc-2533gsta_firmware::::::::	1	OR	1.03
cpe:2.3:h:elecom:wrc-2533gsta:-:::::::*	0	OR
		AND
cpe:2.3:o:elecom:wrc-2533gst2sp_firmware::::::::	1	OR	1.25
cpe:2.3:h:elecom:wrc-2533gst2sp:-:::::::*	0	OR
		AND
cpe:2.3:o:elecom:wrc-2533gst2-g_firmware::::::::	1	OR	1.25
cpe:2.3:h:elecom:wrc-2533gst2-g:-:::::::*	0	OR
		AND
cpe:2.3:o:elecom:edwrc-2533gst2_firmware::::::::	1	OR	1.25
cpe:2.3:h:elecom:edwrc-2533gst2:-:::::::*	0	OR

CVSS Version 2

Version
2.0

Vector String
AV:A/AC:L/Au:S/C:C/I:C/A:C

Access Vector
ADJACENT_NETWORK

Access Compatibility
LOW

Authentication
SINGLE

Confidentiality Impact
COMPLETE

Integrity Impact
COMPLETE

Availability Impact
COMPLETE

Base Score
7.7

Severity
HIGH

Exploitability Score
5.1

Impact Score
10

CVSS Version 3

Version
3.1

Vector String
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector
ADJACENT_NETWORK

Attack Compatibility
LOW

Privileges Required
LOW

User Interaction
NONE

Scope
UNCHANGED

Confidentiality Impact
HIGH

Availability Impact
HIGH

Base Score
8

Base Severity
HIGH

Exploitability Score
2.1

Impact Score
5.9

References

Reference URL	Reference Tags
https://jvn.jp/en/jp/JVN88993473/index.html	Third Party Advisory
https://www.elecom.co.jp/news/security/20211130-01/	Vendor Advisory

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2021-20859
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20859

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 06:43:34				Added to TrackCVE
2022-12-05 15:20:24	2021-12-01T03:15Z	2021-12-01T03:15:07	CVE Published Date	updated
2022-12-05 15:20:24		2021-12-02T15:24:05	CVE Modified Date	updated
2022-12-05 15:20:24		Analyzed	Vulnerability Status	updated