CVE-2021-44467 An access control vulnerability in spx_restservice's KillDupUsr_func function allows an attacker to terminate active sessions of other users. This causes a DoS condition.

CVE-2021-44467 An access control vulnerability in spx_restservice's KillDupUsr_func function allows an attacker to terminate active sessions of other users. This causes a DoS condition.

Attack vector: Remote

Access to the web-based management interface of the affected device is required. An attacker may attempt to exploit this vulnerability by sending a crafted HTTP request to the web-based management interface of an affected device. An attacker may leverage this vulnerability to cause a Denial-of-Service condition by sending a crafted HTTP request to the web-based management interface of an affected device. This access control vulnerability causes a DoS condition because an attacker may send a crafted HTTP request to the web-based management interface of the affected device and cause it to crash. The access control vulnerability can be exploited remotely by sending a crafted HTTP request to the web-signed management interface of the affected device, causing a Denial-of-Service condition. This vulnerability has been assigned Common Vulnerabilit y Identifiers (CVID) CVE-2018-17998 and has been given the id CWE-89 as Broken Authentication in Lanner Inc IAC-AST2500A standard firmware version 1.10.0.

Vulnerable firmware versions

The following versions of the IAC-AST2500A standard firmware are vulnerable:
1.10.0 (v1.10.0), 1.9.2 (v1.9.2), 1.8.3 (v1.8.3), 1.7.5 (v1.7.5) and 1.6s (v1).

Vulnerability Scenario

This vulnerability has been assigned Common Vulnerabilit y Identifiers (CVID) CVE-2018-17998 and has been given the id CWE-89 as Broken Authentication in Lanner Inc IAC-AST2500A standard firmware version 1.10.0. An attacker may attempt to exploit this vulnerability by remotely sending a crafted HTTP request that results in a DoS condition to the web-based management interface of the affected device.

Summary of Product Characteristics

The IAC-AST2500A standard firmware is a device that resides on the network and provides access to the local area network (LAN). The standard firmware is downloaded over HTTP.
The vulnerable feature is an access control vulnerability in the web-based management interface of the device. An attacker can trigger a Denial-of-Service condition by sending a crafted HTTP request to the web-based management interface of an affected device. This access control vulnerability causes a DoS condition because an attacker may send a crafted HTTP request to the web-based management interface of the affected device and cause it to crash.

Vulnerable devices and firmware versions

The affected devices are the LANNER IAC-AST2500A standard and LANNER IAC-AST2300A standard firmware versions 1.10.0.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe