CVE-2021-32926

Published: Jun 3, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

When an authenticated password change request takes place, this vulnerability could allow the attacker to intercept the message that includes the legitimate, new password hash and replace it with an illegitimate hash. The user would no longer be able to authenticate to the controller (Micro800: All versions, MicroLogix 1400: Version 21 and later) causing a denial-of-service condition

Affected (2)

Products: Rockwellautomation: Micro800 Firmware, Micrologix 1400 Firmware

Rockwellautomation

2 products

Micro800 Firmware

Micrologix 1400 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Rockwellautomation Micro800 Firmware	All versions

Running on/with	Platform Versions
Rockwellautomation Micro800	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Rockwellautomation Micrologix 1400 Firmware	From 21.0

Running on/with	Platform Versions
Rockwellautomation Micrologix 1400	All versions

Related CWEs

Channel Accessible by Non-Endpoint

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

References (2)

https://us-cert.cisa.gov/ics/advisories/icsa-21-145-02

Source: ics-cert@hq.dhs.gov

Third Party AdvisoryUS Government Resource

https://us-cert.cisa.gov/ics/advisories/icsa-21-145-02

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.