VDE-2021-057

Vulnerability from csaf_helmholzgmbhcokg - Published: 2021-03-28 13:03 - Updated: 2025-05-14 13:00
Summary
Helmholz: Privilege Escalation in shDialup (Update A)
Notes
Summary: Multiple Vulnerabilities in a software service of shDIALUP can lead to arbitrary code execution due to improper privilege management. Update A, 2022-03-28 Updated CVSS score from CVE-2021-33527 from 7.8 to 9.8 due to new information about the vulnerability
Impact: Please consult the CVE entries.
Remediation: Update shDialup to 3.9R0.5
CVE-2021-33527
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-20 - Improper Input Validation
Vendor Fix Update shDialup to 3.9R0.5
CVE-2021-33526
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-269 - Improper Privilege Management
Vendor Fix Update shDialup to 3.9R0.5
References
Acknowledgments
CERTVDE certvde.com
Claroty Noam Moshe claroty.com
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERTVDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          "Noam Moshe"
        ],
        "organization": "Claroty",
        "summary": "reporting",
        "urls": [
          "https://claroty.com"
        ]
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "Multiple Vulnerabilities in a software service of shDIALUP can lead to arbitrary code execution due to improper privilege management.\n\nUpdate A, 2022-03-28\n\nUpdated CVSS score from CVE-2021-33527 from 7.8 to 9.8 due to new information about the vulnerability",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "Please consult the CVE entries.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Update shDialup to 3.9R0.5",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@helmholz.de",
      "name": "Helmholz GmbH \u0026 Co. KG",
      "namespace": "https://www.helmholz.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "VDE-2021-057: Helmholz: Privilege Escalation in shDialup (Update A) - HTML",
        "url": "https://certvde.com/de/advisories/VDE-2021-057/"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Helmholz GmbH \u0026 Co. KG",
        "url": "https://certvde.com/en/advisories/vendor/helmholz/"
      },
      {
        "category": "self",
        "summary": "VDE-2021-057: Helmholz: Privilege Escalation in shDialup (Update A) - CSAF",
        "url": "https://helmholz.csaf-tp.certvde.com/.well-known/csaf/white/2021/vde-2021-057.json"
      }
    ],
    "title": "Helmholz: Privilege Escalation in shDialup (Update A)",
    "tracking": {
      "aliases": [
        "VDE-2021-057"
      ],
      "current_release_date": "2025-05-14T13:00:15.000Z",
      "generator": {
        "date": "2025-03-05T11:11:28.586Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.20"
        }
      },
      "id": "VDE-2021-057",
      "initial_release_date": "2021-03-28T13:03:00.000Z",
      "revision_history": [
        {
          "date": "2021-03-28T13:03:00.000Z",
          "number": "1",
          "summary": "initial revision"
        },
        {
          "date": "2025-05-14T13:00:15.000Z",
          "number": "2",
          "summary": "Fix: added distribution"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "shDialup",
                "product": {
                  "name": "shDialup",
                  "product_id": "CSAFPID-11001"
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=3.9R0.0",
                "product": {
                  "name": "Firmware \u003c=3.9R0.0",
                  "product_id": "CSAFPID-21001"
                }
              },
              {
                "category": "product_version",
                "name": "3.9R0.5",
                "product": {
                  "name": "Firmware 3.9R0.5",
                  "product_id": "CSAFPID-22001"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "Helmholz GmbH \u0026 Co. KG"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=3.9R0.0 installed on shDialup",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 3.9R0.5 installed on shDialup",
          "product_id": "CSAFPID-32001"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11001"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-33527",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "summary",
          "text": "In MB connect line mbDIALUP versions \u003c= 3.9R0.0 a remote attacker can send a specifically crafted HTTP request to the service running with NT AUTHORITY\\SYSTEM that will not correctly validate the input. This can lead to an arbitrary code execution with the privileges of the service."
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001"
        ],
        "known_affected": [
          "CSAFPID-31001"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update shDialup to 3.9R0.5",
          "product_ids": [
            "CSAFPID-21001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001"
          ]
        }
      ],
      "title": "CVE-2021-33527"
    },
    {
      "cve": "CVE-2021-33526",
      "cwe": {
        "id": "CWE-269",
        "name": "Improper Privilege Management"
      },
      "notes": [
        {
          "category": "summary",
          "text": "In MB connect line mbDIALUP versions \u003c= 3.9R0.0 a low privileged local attacker can send a command to the service running with NT AUTHORITY\\SYSTEM instructing it to execute a malicous OpenVPN configuration resulting in arbitrary code execution with the privileges of the service."
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001"
        ],
        "known_affected": [
          "CSAFPID-31001"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update shDialup to 3.9R0.5",
          "product_ids": [
            "CSAFPID-21001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001"
          ]
        }
      ],
      "title": "CVE-2021-33526"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.