CVE-2021-26606

A vulnerability in PKI Security Solution of Dream Security could allow arbitrary command execution. This vulnerability is due to insufficient validation of the authorization certificate. An attacker could exploit this vulnerability by sending a crafted HTTP request an affected program. A successful exploit could allow the attacker to remotely execute arbitrary code on a target system.

CVSS v3 9.8 CRITICAL
CVSS v2.0 10.0 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36174	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:dreamsecurity:magicline4nx.exe:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

13 Aug 2021, 14:09

Type	Values Removed	Values Added
CWE		CWE-120 CWE-20
CPE		cpe:2.3:o:microsoft:windows:-:::::::* cpe:2.3:a:dreamsecurity:magicline4nx.exe::::::::
References	~~(MISC) https://boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36174 -~~	(MISC) https://boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36174 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 10.0 v3 : 9.8

06 Aug 2021, 15:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-08-06 15:15

Updated : 2024-02-04 21:47

NVD link : CVE-2021-26606

Mitre link : CVE-2021-26606

CVE.ORG link : CVE-2021-26606

JSON object : View

Products Affected

microsoft

windows

dreamsecurity

magicline4nx.exe

CWE

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-20

Improper Input Validation

{"id": "CVE-2021-26606", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "vuln@krcert.or.kr", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-08-06T15:15:08.617", "references": [{"url": "https://boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36174", "tags": ["Third Party Advisory"], "source": "vuln@krcert.or.kr"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-120"}, {"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "vuln@krcert.or.kr", "description": [{"lang": "en", "value": "CWE-120"}, {"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in PKI Security Solution of Dream Security could allow arbitrary command execution. This vulnerability is due to insufficient validation of the authorization certificate. An attacker could exploit this vulnerability by sending a crafted HTTP request an affected program. A successful exploit could allow the attacker to remotely execute arbitrary code on a target system."}, {"lang": "es", "value": "Una vulnerabilidad en PKI Security Solution of Dream Security podr\u00eda permitir una ejecuci\u00f3n de comandos arbitraria. Esta vulnerabilidad es debido a una comprobaci\u00f3n insuficiente del certificado de autorizaci\u00f3n. Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo de una petici\u00f3n HTTP dise\u00f1ada a un programa afectado. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante ejecutar remotamente c\u00f3digo arbitrario en un sistema de destino"}], "lastModified": "2021-08-13T14:09:13.987", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dreamsecurity:magicline4nx.exe:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E60C777-884D-40E3-B405-9E61CC286998", "versionEndIncluding": "1.0.0.17"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "vuln@krcert.or.kr"}