CVE-2021-27430
GE UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR.
Source: CVE-2021-27430
[월:] 2022년 03월
CVE-2021-27466
CVE-2021-27466
A deserialization vulnerability exists in how the ArchiveService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
Source: CVE-2021-27466
CVE-2021-27464
CVE-2021-27464
The ArchiveService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier exposes functions lacking proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.
Source: CVE-2021-27464
CVE-2021-27462
CVE-2021-27462
A deserialization vulnerability exists in how the AosService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
Source: CVE-2021-27462
CVE-2021-27460
CVE-2021-27460
Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier components contain .NET remoting endpoints that deserialize untrusted data without sufficiently verifying that the resulting data will be valid. This vulnerability may allow a remote, unauthenticated attacker to gain full access to the FactoryTalk AssetCentre main server and all agent machines.
Source: CVE-2021-27460
CVE-2021-27456
CVE-2021-27456
Philips Gemini PET/CT family software stores sensitive information in a removable media device that does not have built-in access control.
Source: CVE-2021-27456
CVE-2021-27468
CVE-2021-27468
The AosService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier exposes functions lacking proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.
Source: CVE-2021-27468
CVE-2021-27420
CVE-2021-27420
GE UR firmware versions prior to version 8.1x web server task does not properly handle receipt of unsupported HTTP verbs, resulting in the web server becoming temporarily unresponsive after receiving a series of unsupported HTTP requests. When unresponsive, the web server is inaccessible. By itself, this is not particularly significant as the relay remains effective in all other functionality and communication channels.
Source: CVE-2021-27420
CVE-2021-27428
CVE-2021-27428
GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without appropriate privileges. The weakness is assessed, and mitigation is implemented in firmware Version 8.10.
Source: CVE-2021-27428
CVE-2021-27426
CVE-2021-27426
GE UR IED firmware versions prior to version 8.1x with “Basic� security variant does not allow the disabling of the “Factory Mode,� which is used for servicing the IED by a “Factory� user.
Source: CVE-2021-27426