CVE-2021-37915 Information

Description

An issue was discovered on the Grandstream HT801 Analog Telephone Adaptor before 1.0.29.8. From the limited configuration shell it is possible to set the malicious gdb_debug_server variable. As a result after a reboot the device downloads and executes malicious scripts from an attacker-defined host.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://firmware.grandstream.com/BETA/Release_Note_HT80x_1.0.29.8.pdf http://www.grandstream.com/products/gateways-and-atas/analog-telephone-adaptors/product/ht801 https://www.secforce.com/blog/exploiting-grandstream-ht801-ata-cve-2021-37748-cve-2021-37915/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8