Details of VAR-202002-1343

ID

VAR-202002-1343

CVE

CVE-2020-9026

TITLE

ELTEX NTP-RG-1402G Operating System Command Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-10130 // CNNVD: CNNVD-202002-880

DESCRIPTION

ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected. ELTEX NTP-RG-1402G and NTP-2 On the device OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. ELTEX NTP-RG-1402G is a router product of Russian ELTEX company. An operating system command injection vulnerability exists in ELTEX NTP-RG-1402G 1v10 3.25.3.32. The vulnerability stems from the fact that the network system or product did not properly filter the special characters, commands, etc. during the process of constructing the executable command of the operating system by external input data. An attacker could use this vulnerability to execute illegal operating system commands

Trust: 2.16

sources: NVD: CVE-2020-9026 // JVNDB: JVNDB-2020-002039 // CNVD: CNVD-2020-10130

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-10130

AFFECTED PRODUCTS

vendor:	eltex	model:	ntp-rg-1402g	scope:	eq	version:	3.25.3.32	Trust: 1.8
vendor:	eltex	model:	ntp-2	scope:	eq	version:	3.25.1.1226	Trust: 1.0
vendor:	eltex	model:	ntp-2	scope:	-	version:	-	Trust: 0.8
vendor:	eltex	model:	ntp-rg-1402g	scope:	eq	version:	1v103.25.3.32	Trust: 0.6

sources: CNVD: CNVD-2020-10130 // JVNDB: JVNDB-2020-002039 // NVD: CVE-2020-9026

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-9026
value:	CRITICAL
Trust: 1.0
NVD:	JVNDB-2020-002039
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2020-10130
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202002-880
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2020-9026
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-002039
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-10130
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-9026
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-002039
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-10130 // JVNDB: JVNDB-2020-002039 // CNNVD: CNNVD-202002-880 // NVD: CVE-2020-9026

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2020-002039 // NVD: CVE-2020-9026

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-880

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202002-880

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-002039

PATCH

title:

Top Page

url:

https://eltex-co.com

Trust: 0.8

sources: JVNDB: JVNDB-2020-002039

EXTERNAL IDS

db:	NVD	id:	CVE-2020-9026	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-002039	Trust: 0.8
db:	CNVD	id:	CNVD-2020-10130	Trust: 0.6
db:	CNNVD	id:	CNNVD-202002-880	Trust: 0.6

sources: CNVD: CNVD-2020-10130 // JVNDB: JVNDB-2020-002039 // CNNVD: CNNVD-202002-880 // NVD: CVE-2020-9026

REFERENCES

url:	https://sku11army.blogspot.com/2020/01/eltex-devices-ntp-rg-1402g-ntp-2-os.html	Trust: 3.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9026	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9026	Trust: 0.8

sources: CNVD: CNVD-2020-10130 // JVNDB: JVNDB-2020-002039 // CNNVD: CNNVD-202002-880 // NVD: CVE-2020-9026

SOURCES

db:	CNVD	id:	CNVD-2020-10130
db:	JVNDB	id:	JVNDB-2020-002039
db:	CNNVD	id:	CNNVD-202002-880
db:	NVD	id:	CVE-2020-9026

LAST UPDATE DATE

2024-11-23T22:05:47.421000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-10130	date:	2020-02-18T00:00:00
db:	JVNDB	id:	JVNDB-2020-002039	date:	2020-03-03T00:00:00
db:	CNNVD	id:	CNNVD-202002-880	date:	2020-05-18T00:00:00
db:	NVD	id:	CVE-2020-9026	date:	2024-11-21T05:39:51.397

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-10130	date:	2020-02-18T00:00:00
db:	JVNDB	id:	JVNDB-2020-002039	date:	2020-03-03T00:00:00
db:	CNNVD	id:	CNNVD-202002-880	date:	2020-02-17T00:00:00
db:	NVD	id:	CVE-2020-9026	date:	2020-02-17T04:15:11.187