Published:2021/03/12 Last Updated:2021/03/12
JVN#47497535
M-System DL8 contains multiple vulnerabilities
Overview
DL8 provided by M-System contains multiple vulnerabilities.
Products Affected
- type A (DL8-A) versions prior to Ver3.0
- type B (DL8-B) versions prior to Ver3.0
- type C (DL8-C) versions prior to Ver3.0
- type D (DL8-D) versions prior to Ver3.0
- type E (DL8-E) versions prior to Ver3.0
Description
DL8 provided by M-System contains the following vulnerabilities:
- Denial-of-Service (CWE-400) - CVE-2021-20675
-
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Base Score: 6.5 CVSS v2 AV:N/AC:L/Au:S/C:N/I:N/A:C Base Score: 6.8 - Improper Access Control (CWE-284) - CVE-2021-20676
-
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0
Impact
- Denial-of-Service attack may be done from a user who logs in to the web interface of the product - CVE-2021-20675
- Prohibited operation may be done by a user who logs in to the web interface of the product - CVE-2021-20676
Solution
Update the firmware
Update the firmware to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| M-System Co., Ltd. | DL8Updater: Web-Enabled Remote Terminal Unit Firmware Updater |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
CVE-2021-20675
Takayuki Sasaki, Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2021-20676
Takayuki Sasaki, Kouichirou Okada, Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-20675 |
|
CVE-2021-20676 |
|
| JVN iPedia |
JVNDB-2021-000021 |