cnvd - cnvd-2021-59058

CNVD-2021-59058

Vulnerability from cnvd - Published: 2021-08-06

Title

QSAN多款产品访问控制错误漏洞

Description

QSAN SANOS等都是中国QSAN公司的产品。QSAN SANOS是SAN存储管理操作系统。QSAN XEVO是一款闪存数据管理系统。QSAN Storage Manager是一个NAS操作系统。 QSAN多款产品存在访问控制错误漏洞，远程攻击者可利用该漏洞发现用户凭据并通过暴力破解获得访问权限。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.twcert.org.tw/tw/cp-132-4877-7b696-1.html

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-32522

Impacted products

Name
['QSAN XEVO <1.2.0 (build 202007081800)', 'QSAN SANOS <=2.0.0 (build 202012222000)', 'QSAN QSAN Storage Manager <=3.3.1 (build 202101041800)']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-32522"
    }
  },
  "description": "QSAN SANOS\u7b49\u90fd\u662f\u4e2d\u56fdQSAN\u516c\u53f8\u7684\u4ea7\u54c1\u3002QSAN SANOS\u662fSAN\u5b58\u50a8\u7ba1\u7406\u64cd\u4f5c\u7cfb\u7edf\u3002QSAN XEVO\u662f\u4e00\u6b3e\u95ea\u5b58\u6570\u636e\u7ba1\u7406\u7cfb\u7edf\u3002QSAN Storage Manager\u662f\u4e00\u4e2aNAS\u64cd\u4f5c\u7cfb\u7edf\u3002\n\nQSAN\u591a\u6b3e\u4ea7\u54c1\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u53d1\u73b0\u7528\u6237\u51ed\u636e\u5e76\u901a\u8fc7\u66b4\u529b\u7834\u89e3\u83b7\u5f97\u8bbf\u95ee\u6743\u9650\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.twcert.org.tw/tw/cp-132-4877-7b696-1.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-59058",
  "openTime": "2021-08-06",
  "products": {
    "product": [
      "QSAN XEVO \u003c1.2.0 (build 202007081800)",
      "QSAN SANOS \u003c=2.0.0 (build 202012222000)",
      "QSAN QSAN Storage Manager \u003c=3.3.1 (build 202101041800)"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-32522",
  "serverity": "\u4e2d",
  "submitTime": "2021-07-09",
  "title": "QSAN\u591a\u6b3e\u4ea7\u54c1\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2021-32522 (GCVE-0-2021-32522)

Vulnerability from cvelistv5 – Published: 2021-07-07 14:12 – Updated: 2024-09-16 19:14

Title

QSAN Storage Manager, XEVO, SANOS - Improper Restriction of Excessive Authentication Attempts

Summary

Improper restriction of excessive authentication attempts vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to discover users’ credentials and obtain access via a brute force attack. Suggest contacting with QSAN and refer to recommendations in QSAN Document.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-307 - Improper Restriction of Excessive Authentication Attempts

Assigner

twcert

References

URL

Tags

https://www.twcert.org.tw/tw/cp-132-4878-0a279-1.html

x_refsource_MISC

Impacted products

Vendor

Product

Version

QSAN

Storage Manager

Affected: unspecified , ≤ 3.3.1 (custom)

	QSAN	XEVO	Affected: unspecified , < 1.2.0 (custom)
	QSAN	SANOS	Affected: unspecified , ≤ 2.0.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:25:29.815Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.twcert.org.tw/tw/cp-132-4878-0a279-1.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Storage Manager",
          "vendor": "QSAN",
          "versions": [
            {
              "lessThanOrEqual": "3.3.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "XEVO",
          "vendor": "QSAN",
          "versions": [
            {
              "lessThan": "1.2.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "SANOS",
          "vendor": "QSAN",
          "versions": [
            {
              "lessThanOrEqual": "2.0.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-07-07T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper restriction of excessive authentication attempts vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to discover users\u2019 credentials and obtain access via a brute force attack. Suggest contacting with QSAN and refer to recommendations in QSAN Document."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-22T10:32:48",
        "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "shortName": "twcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.twcert.org.tw/tw/cp-132-4878-0a279-1.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Please refer to QSANS\u0027s recommended measures"
        }
      ],
      "source": {
        "advisory": "TVN-202104027",
        "defect": [
          "",
          ""
        ],
        "discovery": "EXTERNAL"
      },
      "title": "QSAN Storage Manager, XEVO, SANOS - Improper Restriction of Excessive Authentication Attempts",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "TWCERT/CC",
          "ASSIGNER": "cve@cert.org.tw",
          "DATE_PUBLIC": "2021-07-07T12:12:00.000Z",
          "ID": "CVE-2021-32522",
          "STATE": "PUBLIC",
          "TITLE": "QSAN Storage Manager, XEVO, SANOS - Improper Restriction of Excessive Authentication Attempts"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Storage Manager",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "3.3.1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "XEVO",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "1.2.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SANOS",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "QSAN"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Improper restriction of excessive authentication attempts vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to discover users\u2019 credentials and obtain access via a brute force attack. Suggest contacting with QSAN and refer to recommendations in QSAN Document."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-307 Improper Restriction of Excessive Authentication Attempts"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.twcert.org.tw/tw/cp-132-4878-0a279-1.html",
              "refsource": "MISC",
              "url": "https://www.twcert.org.tw/tw/cp-132-4878-0a279-1.html"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Please refer to QSANS\u0027s recommended measures"
          }
        ],
        "source": {
          "advisory": "TVN-202104027",
          "defect": [
            "",
            ""
          ],
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
    "assignerShortName": "twcert",
    "cveId": "CVE-2021-32522",
    "datePublished": "2021-07-07T14:12:05.005342Z",
    "dateReserved": "2021-05-10T00:00:00",
    "dateUpdated": "2024-09-16T19:14:09.855Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-59058

CVE-2021-32522 (GCVE-0-2021-32522)

Tags

Sightings

Nomenclature