// For flags

CVE-2021-28813

Insufficiently Protected Credentials Vulnerability in QSW-M2116P-2T2S and QuNetSwitch

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability involving insecure storage of sensitive information has been reported to affect QSW-M2116P-2T2S and QNAP switches running QuNetSwitch. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism.We have already fixed this vulnerability in the following versions: QSW-M2116P-2T2S 1.0.6 build 210713 and later QGD-1600P: QuNetSwitch 1.0.6.1509 and later QGD-1602P: QuNetSwitch 1.0.6.1509 and later QGD-3014PT: QuNetSwitch 1.0.6.1519 and later

Se ha reportado de una vulnerabilidad que implica el almacenamiento no seguro de informaciĆ³n confidencial que afecta al QSW-M2116P-2T2S y a los switches de QNAP que ejecutan QuNetSwitch. Si es explotado, esta vulnerabilidad permite a atacantes remotos leer informaciĆ³n confidencial accediendo al mecanismo de almacenamiento sin restricciones. Ya hemos corregido esta vulnerabilidad en las siguientes versiones: QSW-M2116P-2T2S 1.0.6 build 210713 y posteriores QGD-1600P: QuNetSwitch 1.0.6.1509 y posteriores QGD-1602P: QuNetSwitch 1.0.6.1509 y posteriores QGD-3014PT: QuNetSwitch 1.0.6.1519 y posteriores

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-03-18 CVE Reserved
  • 2021-09-10 CVE Published
  • 2024-09-12 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-259: Use of Hard-coded Password
  • CWE-522: Insufficiently Protected Credentials
  • CWE-798: Use of Hard-coded Credentials
  • CWE-922: Insecure Storage of Sensitive Information
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://www.qnap.com/en/security-advisory/qsa-21-37 2021-09-23
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Qnap
Search vendor "Qnap"
 Qsw-m2116p-2t2s Firmware
Search vendor "Qnap" for product "Qsw-m2116p-2t2s Firmware"
 < 1.0.6
Search vendor "Qnap" for product "Qsw-m2116p-2t2s Firmware" and version " < 1.0.6"
-
Affected
in Qnap
Search vendor "Qnap"
 Qsw-m2116p-2t2s
Search vendor "Qnap" for product "Qsw-m2116p-2t2s"
--
Safe
Qnap
Search vendor "Qnap"
 Qunetswitch
Search vendor "Qnap" for product "Qunetswitch"
 < 1.0.6.1509
Search vendor "Qnap" for product "Qunetswitch" and version " < 1.0.6.1509"
-
Affected
in Qnap
Search vendor "Qnap"
 Qgd-1600p
Search vendor "Qnap" for product "Qgd-1600p"
--
Safe
Qnap
Search vendor "Qnap"
 Qunetswitch
Search vendor "Qnap" for product "Qunetswitch"
 < 1.0.6.1509
Search vendor "Qnap" for product "Qunetswitch" and version " < 1.0.6.1509"
-
Affected
in Qnap
Search vendor "Qnap"
 Qgd-1602p
Search vendor "Qnap" for product "Qgd-1602p"
--
Safe
Qnap
Search vendor "Qnap"
 Qunetswitch
Search vendor "Qnap" for product "Qunetswitch"
 < 1.0.6.1509
Search vendor "Qnap" for product "Qunetswitch" and version " < 1.0.6.1509"
-
Affected
in Qnap
Search vendor "Qnap"
 Qgd-3014pt
Search vendor "Qnap" for product "Qgd-3014pt"
--
Safe