CVE-2021-27562
published 2021-05-25CVE-2021-27562: In Arm Trusted Firmware M through 1.2, the NS world may trigger a system halt, an overwrite of secure data, or the printing out of secure data when calling…
PriorityP276medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
3.09%
86.1th percentile
In Arm Trusted Firmware M through 1.2, the NS world may trigger a system halt, an overwrite of secure data, or the printing out of secure data when calling secure functions under the NSPE handler mode.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trustedfirmware | trusted_firmware-m | <= 1.2.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/premise/front/getPingData?url=http|3a 2f 2f|0.0.0.0|3a|9600/sm/api/v1/firewall/zone/services?zone=
port9600
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)"; flow:established,to_server; http.uri; content:"/premise/front/getPingData?url=http|3a 2f 2f|0.0.0.0|3a|9600/sm/api/v1/firewall/zone/services?zone="; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; reference:url,ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27561; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27562; reference:cve,2021-27561; classtype:attempted-admin; sid:2032095; rev:3; metadata:attack_target IoT, created_at 2021_03_17, cve CVE_2021_27561, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_09_20;)
- →Exploit traffic targets Yealink Device Management servers via HTTP GET to the /premise/front/getPingData endpoint, embedding a SSRF/RCE payload referencing an internal service on port 9600
- →CVE-2021-27562 is chained with CVE-2021-27561 in the same Yealink DM pre-auth root-level RCE attack chain; detections for CVE-2021-27561 (the Snort rule above) also reference CVE-2021-27562
- →The vulnerability is exploitable from the NS (non-secure) world by calling secure functions under NSPE handler mode; monitor for unexpected NS-to-S world transitions in handler mode on Arm TrustZone-M devices ↗
- →Affected product context: Yealink Device Management servers are the primary exploitation target in the wild per CISA KEV ↗
- ·The Snort rule (sid:2032095) is primarily attributed to CVE-2021-27561 (Yealink RCE) but explicitly cross-references CVE-2021-27562; both CVEs are part of the same attack chain against Yealink DM
- ·The underlying vulnerability exists in Arm Trusted Firmware-M through version 1.2; the Yealink DM exploitation surface is the network-facing vector that triggers the TFM out-of-bounds write ↗
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.9MEDIUMAV:L/AC:L/Au:N/C:N/I:N/A:C
vulncheck5.5MEDIUM
cisa5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ARM Trusted Firmware-M up to 1.2 NSPE Handler Mode denial of service
vuldb·2026-06-06·CVSS 5.5
CVE-2021-27562 [MEDIUM] ARM Trusted Firmware-M up to 1.2 NSPE Handler Mode denial of service
A vulnerability, which was classified as problematic, has been found in ARM Trusted Firmware-M up to 1.2. The affected element is an unknown function of the component NSPE Handler Mode. The manipulation leads to denial of service.
This vulnerability is documented as CVE-2021-27562. The attack requires being on the local network. Additionally, an exploit exists.
It is suggested to install a patch to address this issue.
GHSA
GHSA-3352-gx8m-f7v5: In Arm Trusted Firmware M through 1
ghsa_unreviewed·2022-05-24
CVE-2021-27562 [MEDIUM] CWE-787 GHSA-3352-gx8m-f7v5: In Arm Trusted Firmware M through 1
In Arm Trusted Firmware M through 1.2, the NS world may trigger a system halt, an overwrite of secure data, or the printing out of secure data when calling secure functions under the NSPE handler mode.
VulnCheck
Arm Trusted Firmware Out-of-Bounds Write Vulnerability
vulncheck·2021·CVSS 5.5
CVE-2021-27562 [MEDIUM] CWE-787 Arm Trusted Firmware Out-of-Bounds Write Vulnerability
Arm Trusted Firmware Out-of-Bounds Write Vulnerability
Arm Trusted Firmware contains an out-of-bounds write vulnerability allowing the non-secure (NS) world to trigger a system halt, overwrite secure data, or print out secure data when calling secure functions under the non-secure processing environment (NSPE) handler mode. This vulnerability affects Yealink Device Management servers.
Affected: Arm Trusted Firmware
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx; https://www.cisa.gov/sites/default/files/feeds/known_exploited_
CISA
Arm Trusted Firmware Out-of-Bounds Write Vulnerability
cisa·2021-11-03·CVSS 5.5
CVE-2021-27562 [MEDIUM] CWE-787 Arm Trusted Firmware Out-of-Bounds Write Vulnerability
Vulnerability: Arm Trusted Firmware Out-of-Bounds Write Vulnerability
Affected: Arm Trusted Firmware
Arm Trusted Firmware contains an out-of-bounds write vulnerability allowing the non-secure (NS) world to trigger a system halt, overwrite secure data, or print out secure data when calling secure functions under the non-secure processing environment (NSPE) handler mode. This vulnerability affects Yealink Device Management servers.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-27562
Remediation Due Date: 2021-11-17
Suricata
ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)
suricata·2021-03-17·CVSS 9.8
CVE-2021-27561 [CRITICAL] ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)
ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)"; flow:established,to_server; http.uri; content:"/premise/front/getPingData?url=http|3a 2f 2f|0.0.0.0|3a|9600/sm/api/v1/firewall/zone/services?zone="; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; reference:url,ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27561; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27562; reference:cve,2021-27561; classtype:attempted-admin; sid:2032095; rev:3; metadata:attack_target IoT, created_at 2021_03_17, cve CVE_2021_27561, deployment Perimeter, per
No public exploits indexed.
Bleepingcomputer
Mirai DDoS malware variant expands targets with 13 router exploits
blogs_bleepingcomputer·2023-10-10·CVSS 9.8
[CRITICAL] Mirai DDoS malware variant expands targets with 13 router exploits
## Mirai DDoS malware variant expands targets with 13 router exploits
## Bill Toulas
A Mirai-based DDoS (distributed denial of service) malware botnet tracked as IZ1H9 has added thirteen new payloads to target Linux-based routers and routers from D-Link, Zyxel, TP-Link, TOTOLINK, and others.
Fortinet researchers report observing a peak in the exploitation rates around the first week of September, reaching tens of thousands of exploitation attempts against vulnerable devices.
IZ1H9 compromises devices to enlist them to its DDoS swarm and then launches DDoS attacks on specified targets, presumably on the order of clients renting its firepower.
## Extensive IoT targeting
The more devices and vulnerabilities targeted by a DDoS malware increased the potential to build a large and powerful
Fortinet
The Ghosts of Mirai | FortiGuard Labs
blogs_fortinet·2021-06-24
The Ghosts of Mirai | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Ghosts of Mirai
By David Maciejak and Joie Salvio | June 24, 2021
FortiGuard Labs Threat Research Report
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
It has been almost five years since the source code of the notorious MIRAI IoT malware was released to the public by its author in late 2016. This event led to the emergence of numerous copycats, creating their own flavors of IoT botnet armies. Although improvements have been constantly added since then by various threat actors, the structure and goal of the campaigns have remained the same.
IoT malware scans the Internet for IoT devices that use default or weak usernames and passwords. They also seek
Unit42
New Mirai Variant Targeting Network Security Devices
blogs_unit42·2021-03-16·CVSS 7.5
CVE-2019-19356 [HIGH] New Mirai Variant Targeting Network Security Devices
Threat Research Center
Threat Research
Vulnerabilities
## New Mirai Variant Targeting Network Security Devices
Vaibhav Singhal
Ruchna Nigam
Zhibin Zhang
Asher Davila
Published: March 15, 2021
Threat Research
Vulnerabilities
CVE-2019-19356
CVE-2020-25506
CVE-2020-26919
CVE-2021-22502
CVE-2021-27561
CVE-2021-27562
IoT
Mirai
VisualDoor
## Executive Summary
On Feb. 16, 2021, Unit 42 researchers discovered attacks leveraging a number of vulnerabilities, including:
VisualDoor (a SonicWall SSL-VPN exploit).
CVE-2020-25506 (a D-Link DNS-320 firewall exploit).
CVE-2020-26919 (a Netgear ProSAFE Plus exploit).
Possibly CVE-2019-19356 (a Netis WF2419 wireless router exploit).
Three other IoT vulnerabilities yet to be identified.
On Feb. 23, 2021, one of the IPs involved
Unit42
New Mirai Variant Targeting Network Security Devices
blogs_unit42·2021-03-16·CVSS 7.5
CVE-2020-25506 [HIGH] New Mirai Variant Targeting Network Security Devices
## Executive Summary
On Feb. 16, 2021, Unit 42 researchers discovered attacks leveraging a number of vulnerabilities, including:
- VisualDoor (a SonicWall SSL-VPN exploit).
- CVE-2020-25506 (a D-Link DNS-320 firewall exploit).
- CVE-2020-26919 (a Netgear ProSAFE Plus exploit).
- Possibly CVE-2019-19356 (a Netis WF2419 wireless router exploit).
- Three other IoT vulnerabilities yet to be identified.
On Feb. 23, 2021, one of the IPs involved in the attack was updated to serve a Mirai variant leveraging CVE-2021-27561 and CVE-2021-27562, mere hours after vulnerability details were published. On March 3, 2021, the same samples were served from a third IP address, with the addition of an exploit leveraging CVE-2021-22502. Furthermore, on March 13, an exploit targeting CVE-2020-26919 was also
arXiv
SoK: Where's the "up"?! A Comprehensive (bottom-up) Study on the Security of Arm Cortex-M Systems
arxiv_fulltext·2024-05-13
SoK: Where's the "up"?! A Comprehensive (bottom-up) Study on the Security of Arm Cortex-M Systems
[1]
hlcolorRGB20, 255, 20hlcolor
blackZiming: #1
[1]
hlcolorRGB20, 255, 20hlcolor
blackJun: #1
[1]
hlcolorRGB20, 255, 20hlcolor
blackLe: #1
[1]
hlcolorRGB255, 241, 158hlcolor
blackZheyuan: #1
[1]
hlcolorRGB255, 20, 20hlcolor
blackZQ: #1
[1]
hlcolorRGB0,32,96hlcolor
whiteXi: #1
arch
[1]
arch
#1A [2]arch. #1
bug
[1]
bug
#1B [2]bug. #1
limitation
[1]
limitation
4pt #1L [2]limitation. #1
issue
[1]
issue
4pt #1I [2]issue. #1
defense
[1]
defense
4pt #1D [2]defense. #1
test
[1]
test
T [2]-test. #1
recommendation
[1]
recommendation
4pt #1R [2]recommendation. #1
plain
[2]tabular@#1@#2tabular
* [1]
* [1] [baseline=(char.base)]
[shape=circle,draw,inner sep=2pt] (char) #1;
* [1] [baseline=(char.base)]
[shape=circle,draw,inner sep=1pt] (char) #1;
.5em
[1]picture(1,1)
0=#1 (.
arXiv
uTango: an open-source TEE for IoT devices
arxiv_fulltext·2022-02-16
uTango: an open-source TEE for IoT devices
uTango: an open-source TEE for IoT devices
Daniel Oliveira,
Tiago Gomes,
Sandro Pinto
\ ALGORITMI - University of Minho
\daniel.oliveira, mr.gomes, sandro.pinto\@dei.uminho.pt
## Abstract
Security is one of the main challenges of the Internet of Things (IoT). IoT devices are mainly powered by low-cost microcontrollers (MCUs) that typically lack basic hardware security mechanisms to separate security-critical applications from less
critical components. Recently, Arm has started to release Cortex-M MCUs enhanced with TrustZone technology (i.e., TrustZone-M), a system-wide security solution aiming at providing robust protection for IoT devices. Trusted Execution Environments (TEEs) relying on TrustZone hardware have been perceived as safe havens for securing mobile devices. However, for t
https://developer.arm.com/support/arm-security-updateshttps://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/docs/security/security_advisories/svc_caller_sp_fetching_vulnerability.rsthttps://developer.arm.com/support/arm-security-updateshttps://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/docs/security/security_advisories/svc_caller_sp_fetching_vulnerability.rsthttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27562
2021-05-25
Published
2021-11-03
Added to CISA KEV
Exploited in the wild