Sign-up

ID

VAR-202003-1412


CVE

CVE-2020-5535


TITLE

OpenBlocks IoT VX2 Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-000020

DESCRIPTION

OpenBlocks IoT VX2 prior to Ver.4.0.0 (Ver.3 Series) allows an attacker on the same network segment to execute arbitrary OS commands with root privileges via unspecified vectors. Provided by Plat'Home Co., Ltd. OpenBlocks IoT VX2 Is vulnerable to several vulnerabilities: ・ OS Command injection (CWE-78) - CVE-2020-5535 ・ Insufficient authentication (CWE-287) - CVE-2020-5536 This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Ierae Security Co., Ltd. Murashima Masahiro Mr. Kataoka Genta MrThe expected impact depends on each vulnerability, but it may be affected as follows. ・ Depending on the user who can connect to the product root Arbitrary with authority OS The command may be executed - CVE-2020-5535 -Users who can connect to the product may bypass authentication and initialize the device. - CVE-2020-5536. OpenBlocks IoT VX2 is an intelligent edge IoT gateway with the high functionality and reliability required for the actual operation of IoT systems. Plat’Home OpenBlocks IoT VX2 is an IoT gateway device from Japan ’s Plat’Home. Plat’Home OpenBlocks IoT VX2 versions prior to 4.0.0 have an operating system command injection vulnerability

Trust: 2.7

sources: NVD: CVE-2020-5535 // JVNDB: JVNDB-2020-000020 // CNVD: CNVD-2020-15518 // CNNVD: CNNVD-202003-154

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-15518

AFFECTED PRODUCTS

vendor:plathomemodel:openblocks iot vx2scope:ltversion:4.0.0

Trust: 1.0

vendor:plathomemodel:openblocks iot vx2scope:gteversion:3.3.0

Trust: 1.0

vendor:plat homemodel:openblocks iot vx2scope:eqversion:ver.4.0.0 (ver.3系)

Trust: 0.8

vendor:plat homemodel:openblocks iotscope:eqversion:vx2<4.0.0

Trust: 0.6

vendor:plathomemodel:openblocks iot vx2scope:eqversion:3.4.0

Trust: 0.6

vendor:plathomemodel:openblocks iot vx2scope:eqversion:3.3.1

Trust: 0.6

vendor:plathomemodel:openblocks iot vx2scope:eqversion: -

Trust: 0.6

vendor:plathomemodel:openblocks iot vx2scope:eqversion:3.3.0

Trust: 0.6

vendor:plathomemodel:openblocks iot vx2scope:eqversion:3.3.2

Trust: 0.6

sources: CNVD: CNVD-2020-15518 // JVNDB: JVNDB-2020-000020 // CNNVD: CNNVD-202003-154 // NVD: CVE-2020-5535

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-5535
value: HIGH

Trust: 1.0

IPA: JVNDB-2020-000020
value: HIGH

Trust: 0.8

IPA: JVNDB-2020-000020
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-15518
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202003-154
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2020-5535
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2020-000020
severity: MEDIUM
baseScore: 5.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

IPA: JVNDB-2020-000020
severity: MEDIUM
baseScore: 4.8
vectorString: AV:A/AC:L/AU:N/C:N/I:P/A:P
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-15518
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-5535
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

IPA: JVNDB-2020-000020
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

IPA: JVNDB-2020-000020
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-15518 // JVNDB: JVNDB-2020-000020 // JVNDB: JVNDB-2020-000020 // CNNVD: CNNVD-202003-154 // NVD: CVE-2020-5535

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.8

problemtype:CWE-287

Trust: 0.8

sources: JVNDB: JVNDB-2020-000020 // NVD: CVE-2020-5535

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202003-154

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202003-154

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-000020

PATCH
title:OpenBlocks IoT VX2 ソフトウェアリリース情報|FW4.0.0url:https://www.plathome.co.jp/software/vx2-v4-0-0/
Trust: 0.8
title:Patch for OpenBlocks IoT VX2 arbitrary OS command execution vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/206915
Trust: 0.6
title:Plat’Home OpenBlocks IoT VX2 Fixes for operating system command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=111602
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-15518 // 
            
            
            
            JVNDB: JVNDB-2020-000020 // 
            
            
            
            CNNVD: CNNVD-202003-154

EXTERNAL IDS
db:JVNid:JVN19666251
Trust: 3.0
db:NVDid:CVE-2020-5535
Trust: 3.0
db:JVNDBid:JVNDB-2020-000020
Trust: 1.4
db:CNVDid:CNVD-2020-15518
Trust: 0.6
db:CNNVDid:CNNVD-202003-154
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-15518 // 
            
            
            
            JVNDB: JVNDB-2020-000020 // 
            
            
            
            CNNVD: CNNVD-202003-154 // 
            
            
            
            NVD: CVE-2020-5535

REFERENCES
url:https://jvn.jp/en/jp/jvn19666251/index.html
Trust: 2.2
url:https://www.plathome.co.jp/software/vx2-v4-0-0/
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5535
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5536
Trust: 0.8
url:https://jvn.jp/jp/jvn19666251/index.html
Trust: 0.8
url:https://jvndb.jvn.jp/en/contents/2020/jvndb-2020-000020.html
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-15518 // 
            
            
            
            JVNDB: JVNDB-2020-000020 // 
            
            
            
            CNNVD: CNNVD-202003-154 // 
            
            
            
            NVD: CVE-2020-5535

CREDITS
Masahiro Murashima and Genta Kataoka of IERAE SECURITY INC
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202003-154

SOURCES
db:CNVDid:CNVD-2020-15518
db:JVNDBid:JVNDB-2020-000020
db:CNNVDid:CNNVD-202003-154
db:NVDid:CVE-2020-5535

LAST UPDATE DATE
2024-11-23T22:33:33.418000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-15518date:2020-03-05T00:00:00
db:JVNDBid:JVNDB-2020-000020date:2020-03-03T00:00:00
db:CNNVDid:CNNVD-202003-154date:2020-03-13T00:00:00
db:NVDid:CVE-2020-5535date:2024-11-21T05:34:13.977

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-15518date:2020-03-05T00:00:00
db:JVNDBid:JVNDB-2020-000020date:2020-03-03T00:00:00
db:CNNVDid:CNNVD-202003-154date:2020-03-03T00:00:00
db:NVDid:CVE-2020-5535date:2020-03-04T02:15:13.253