CVE-2021-22644 - Vulnerability Details - OpenCVE

Ovarro TBox TWinSoft uses the custom hardcoded user “TWinSoft” with a hardcoded key.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Ovarro	Tbox Lt2-530 Tbox Lt2-530 Firmware Tbox Lt2-532 Tbox Lt2-532 Firmware Tbox Lt2-540 Tbox Lt2-540 Firmware Tbox Ms-cpu32 Tbox Ms-cpu32-s2 Tbox Ms-cpu32-s2 Firmware Tbox Ms-cpu32 Firmware Tbox Rm2 Tbox Rm2 Firmware Tbox Tg2 Tbox Tg2 Firmware Twinsoft

Configuration 1 [-]

cpe:2.3:a:ovarro:twinsoft:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:ovarro:tbox_lt2-530_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ovarro:tbox_lt2-530:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:ovarro:tbox_lt2-532_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ovarro:tbox_lt2-532:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:ovarro:tbox_lt2-540_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ovarro:tbox_lt2-540:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:ovarro:tbox_ms-cpu32_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ovarro:tbox_ms-cpu32:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:ovarro:tbox_ms-cpu32-s2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ovarro:tbox_ms-cpu32-s2:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:ovarro:tbox_rm2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ovarro:tbox_rm2:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:ovarro:tbox_tg2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ovarro:tbox_tg2:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04

History

Thu, 17 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-321
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-07-28T14:19:10.000Z

Updated: 2025-04-17T15:48:47.601Z

Reserved: 2021-01-05T00:00:00.000Z

Link: CVE-2021-22644

Vulnrichment

Updated: 2024-08-03T18:44:14.128Z

NVD

Status : Modified

Published: 2022-07-28T15:15:07.310

Modified: 2025-04-17T16:15:22.230

Link: CVE-2021-22644

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "TBox", "vendor": "Ovarro", "versions": [{"status": "affected", "version": "LT2"}, {"status": "affected", "version": "MS-CPU32"}, {"status": "affected", "version": "MS-CPU32-S2"}, {"status": "affected", "version": "RM2"}, {"status": "affected", "version": "TG2"}]}], "credits": [{"lang": "en", "value": "Uri Katz of Claroty reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "value": "Ovarro TBox TWinSoft uses the custom hardcoded user \u201cTWinSoft\u201d with a hardcoded key."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "CVE-321", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-28T14:19:10.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04"}], "solutions": [{"lang": "en", "value": "Ovarro recommends affected users update to 12.5 or later of TWinSoft to mitigate these vulnerabilities.\n\nThe latest version can be found on www.ovarro.com in the customer support section (service portal)."}], "source": {"discovery": "EXTERNAL"}, "title": "Ovarro TBox Use of Hard-coded Cryptographic Key", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2021-22644", "STATE": "PUBLIC", "TITLE": "Ovarro TBox Use of Hard-coded Cryptographic Key"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "TBox", "version": {"version_data": [{"version_affected": "=", "version_value": "LT2"}, {"version_affected": "=", "version_value": "MS-CPU32"}, {"version_affected": "=", "version_value": "MS-CPU32-S2"}, {"version_affected": "=", "version_value": "RM2"}, {"version_affected": "=", "version_value": "TG2"}]}}]}, "vendor_name": "Ovarro"}]}}, "credit": [{"lang": "eng", "value": "Uri Katz of Claroty reported these vulnerabilities to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Ovarro TBox TWinSoft uses the custom hardcoded user \u201cTWinSoft\u201d with a hardcoded key."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CVE-321"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04"}]}, "solution": [{"lang": "en", "value": "Ovarro recommends affected users update to 12.5 or later of TWinSoft to mitigate these vulnerabilities.\n\nThe latest version can be found on www.ovarro.com in the customer support section (service portal)."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:44:14.128Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-321", "lang": "en", "description": "CWE-321 Use of Hard-coded Cryptographic Key"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-17T14:34:16.263395Z", "id": "CVE-2021-22644", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T15:48:47.601Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-22644", "datePublished": "2022-07-28T14:19:10.000Z", "dateReserved": "2021-01-05T00:00:00.000Z", "dateUpdated": "2025-04-17T15:48:47.601Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:44:14.128Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-22644", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-17T14:34:16.263395Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T14:34:17.677Z"}}], "cna": {"title": "Ovarro TBox Use of Hard-coded Cryptographic Key", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Uri Katz of Claroty reported these vulnerabilities to CISA."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Ovarro", "product": "TBox", "versions": [{"status": "affected", "version": "LT2"}, {"status": "affected", "version": "MS-CPU32"}, {"status": "affected", "version": "MS-CPU32-S2"}, {"status": "affected", "version": "RM2"}, {"status": "affected", "version": "TG2"}]}], "solutions": [{"lang": "en", "value": "Ovarro recommends affected users update to 12.5 or later of TWinSoft to mitigate these vulnerabilities.\n\nThe latest version can be found on www.ovarro.com in the customer support section (service portal)."}], "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04", "tags": ["x_refsource_CONFIRM"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Ovarro TBox TWinSoft uses the custom hardcoded user \u201cTWinSoft\u201d with a hardcoded key."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "CVE-321"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-07-28T14:19:10.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Uri Katz of Claroty reported these vulnerabilities to CISA."}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "LT2", "version_affected": "="}, {"version_value": "MS-CPU32", "version_affected": "="}, {"version_value": "MS-CPU32-S2", "version_affected": "="}, {"version_value": "RM2", "version_affected": "="}, {"version_value": "TG2", "version_affected": "="}]}, "product_name": "TBox"}]}, "vendor_name": "Ovarro"}]}}, "solution": [{"lang": "en", "value": "Ovarro recommends affected users update to 12.5 or later of TWinSoft to mitigate these vulnerabilities.\n\nThe latest version can be found on www.ovarro.com in the customer support section (service portal)."}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Ovarro TBox TWinSoft uses the custom hardcoded user \u201cTWinSoft\u201d with a hardcoded key."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CVE-321"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-22644", "STATE": "PUBLIC", "TITLE": "Ovarro TBox Use of Hard-coded Cryptographic Key", "ASSIGNER": "ics-cert@hq.dhs.gov"}}}}, "cveMetadata": {"cveId": "CVE-2021-22644", "state": "PUBLISHED", "dateUpdated": "2025-04-17T15:48:47.601Z", "dateReserved": "2021-01-05T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-07-28T14:19:10.000Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ovarro:twinsoft:*:*:*:*:*:*:*:*", "matchCriteriaId": "B79BE17A-7179-430C-B8FD-C2F72EB23DBF", "versionEndExcluding": "12.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ovarro:tbox_lt2-530_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0DECA4DF-4FFE-42BC-94CE-490C1D2370B2", "versionEndExcluding": "1.46", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ovarro:tbox_lt2-530:-:*:*:*:*:*:*:*", "matchCriteriaId": "86E78A8D-9B20-4162-81EA-E707224DA475", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ovarro:tbox_lt2-532_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7D10411-651E-44DD-8C98-25CF7E183EAB", "versionEndExcluding": "1.46", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ovarro:tbox_lt2-532:-:*:*:*:*:*:*:*", "matchCriteriaId": "B08843AE-E7C3-44AD-9800-6EEEA00C1D60", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ovarro:tbox_lt2-540_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7045481-F093-404D-B9E1-832D4EBA8712", "versionEndExcluding": "1.46", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ovarro:tbox_lt2-540:-:*:*:*:*:*:*:*", "matchCriteriaId": "54D1B1BD-E3FF-4F4E-9248-0472BF3A4524", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ovarro:tbox_ms-cpu32_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "25B291F2-EE60-4C51-BD3B-6233292EC144", "versionEndExcluding": "1.46", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ovarro:tbox_ms-cpu32:-:*:*:*:*:*:*:*", "matchCriteriaId": "0746C27E-6100-430A-8005-F71C8D24E827", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ovarro:tbox_ms-cpu32-s2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "959C6D18-D3B9-4819-945D-CD46251C63F2", "versionEndExcluding": "1.46", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ovarro:tbox_ms-cpu32-s2:-:*:*:*:*:*:*:*", "matchCriteriaId": "1753583A-93AC-4DBE-8E2C-A4816B8D1D11", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ovarro:tbox_rm2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "399E43B9-311F-428A-B924-44CF833634AF", "versionEndExcluding": "1.46", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ovarro:tbox_rm2:-:*:*:*:*:*:*:*", "matchCriteriaId": "F73C576F-9BAB-4C8E-9B47-9C930B67C910", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ovarro:tbox_tg2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B9786858-CD7C-4F05-A266-1C5C6AC46256", "versionEndExcluding": "1.46", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ovarro:tbox_tg2:-:*:*:*:*:*:*:*", "matchCriteriaId": "551340E5-D721-40F1-8D14-CBF87A68BFB3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ovarro TBox TWinSoft uses the custom hardcoded user \u201cTWinSoft\u201d with a hardcoded key."}, {"lang": "es", "value": "Ovarro TBox TWinSoft usa el usuario personalizado \"TWinSoft\" con una clave embebida"}], "id": "CVE-2021-22644", "lastModified": "2025-04-17T16:15:22.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-28T15:15:07.310", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-321"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}