Abstract Advisory Information
The communication between the access unit and a web relay is prone to Man in the Middle (MitM) attack if the attacker can impersonate the IP of the web relay.
Authors: Rémy Grandin
Version affected
Name: Access Unit 2.0
Versions: Firmware 2.31.0.40.5
Common Vulnerability Scoring System
4.6
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
References
- https://www.2n.cz/en_GB/products/ip-access-control/2n-access-unit-2
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31399
Vulnerability Disclosure Timeline
- 15/03/2021: Vulnerability discovery
- 07/04/2021: Vulnerability Report to CERT-XLM
- 07/04/2021: Vulnerability Report to 2N Technical Support
- 07/04/2021: 2N Technical support acknowledgment
- 15/04/2021: Request CVE IDs to Mitre
- 19/04/2021: Provided CVE ID to 2N Technical Support
- 08/06/2021: 2N Provides good technical reasons and will fix the vulnerability. Extend time before disclosure +90 days from now
- 16/06/2021: 2N tells that a fix will not be ready until the end of the year
- 12/08/2021: Expected Vulnerability disclosure