Multiple vulnerabilities in Unisoc chipsets
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2021-39636 CVE-2021-39635 CVE-2021-39616 |
| CWE-ID | CWE-862 CWE-78 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SC9863A Mobile applications / Mobile firmware & hardware SC9832E Mobile applications / Mobile firmware & hardware SC7731E Mobile applications / Mobile firmware & hardware UMS512 Mobile applications / Mobile firmware & hardware UMS312 Mobile applications / Mobile firmware & hardware UMS9230 Mobile applications / Mobile firmware & hardware UMS9620 Mobile applications / Mobile firmware & hardware |
| Vendor | UNISOC |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Missing Authorization
EUVDB-ID: #VU72907
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-39636
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to read, manipulate or delete data.
The vulnerability exists due to improper input validation within the net service in System. A remote attacker can trick the victim to open a specially crafted file and read, manipulate or delete data.
MitigationInstall security update from vendor's website.
Vulnerable software versionsSC9863A: All versions
SC9832E: All versions
SC7731E: All versions
UMS512: All versions
UMS312: All versions
UMS9230: All versions
UMS9620: All versions
CPE2.3- cpe:2.3:a:unisoc:sc9863a:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:sc9832e:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:sc7731e:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:ums512:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:ums312:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:ums9230:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:ums9620:*:*:*:*:*:*:*:*
https://www.unisoc.com/en_us/secy/announcementDetail/1532206380499406850
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Missing Authorization
EUVDB-ID: #VU72908
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-39635
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to read, manipulate or delete data.
The vulnerability exists due to improper input validation within the net service in System. A remote attacker can trick the victim to open a specially crafted file and read, manipulate or delete data.
MitigationInstall security update from vendor's website.
Vulnerable software versionsSC9863A: All versions
SC9832E: All versions
SC7731E: All versions
UMS512: All versions
UMS312: All versions
UMS9230: All versions
UMS9620: All versions
CPE2.3- cpe:2.3:a:unisoc:sc9863a:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:sc9832e:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:sc7731e:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:ums512:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:ums312:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:ums9230:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:ums9620:*:*:*:*:*:*:*:*
https://www.unisoc.com/en_us/secy/announcementDetail/1532206380499406850
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
EUVDB-ID: #VU72909
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-39616
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to read, manipulate or delete data.
The vulnerability exists due to improper input validation within the System. A remote attacker can trick the victim to open a specially crafted file and read, manipulate or delete data.
MitigationInstall security update from vendor's website.
Vulnerable software versionsSC9863A: All versions
SC9832E: All versions
SC7731E: All versions
UMS512: All versions
UMS312: All versions
UMS9230: All versions
UMS9620: All versions
CPE2.3- cpe:2.3:a:unisoc:sc9863a:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:sc9832e:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:sc7731e:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:ums512:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:ums312:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:ums9230:*:*:*:*:*:*:*:*
- cpe:2.3:a:unisoc:ums9620:*:*:*:*:*:*:*:*
https://www.unisoc.com/en_us/secy/announcementDetail/1532206380499406850
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
