Details of VAR-202003-1413

ID

VAR-202003-1413

CVE

CVE-2020-5536

TITLE

OpenBlocks IoT VX2 Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-000020

DESCRIPTION

OpenBlocks IoT VX2 prior to Ver.4.0.0 (Ver.3 Series) allows an attacker on the same network segment to bypass authentication and to initialize the device via unspecified vectors. Provided by Plat'Home Co., Ltd. OpenBlocks IoT VX2 Is vulnerable to several vulnerabilities: ・ OS Command injection (CWE-78) - CVE-2020-5535 ・ Insufficient authentication (CWE-287) - CVE-2020-5536 This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Ierae Security Co., Ltd. Murashima Masahiro Mr. Kataoka Genta MrThe expected impact depends on each vulnerability, but it may be affected as follows. ・ Depending on the user who can connect to the product root Arbitrary with authority OS The command may be executed - CVE-2020-5535 -Users who can connect to the product may bypass authentication and initialize the device. - CVE-2020-5536. OpenBlocks IoT VX2 is an intelligent edge IoT gateway with the high functionality and reliability required for the actual operation of IoT systems. Plat’Home OpenBlocks IoT VX2 is an IoT gateway device from Japan ’s Plat’Home. An authorization issue vulnerability exists in OpenBlocks IoT VX2 versions prior to 4.0.0, which originated from incorrect authentication

Trust: 2.7

sources: NVD: CVE-2020-5536 // JVNDB: JVNDB-2020-000020 // CNVD: CNVD-2020-15519 // CNNVD: CNNVD-202003-152

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-15519

AFFECTED PRODUCTS

vendor:	plathome	model:	openblocks iot vx2	scope:	lt	version:	4.0.0	Trust: 1.0
vendor:	plathome	model:	openblocks iot vx2	scope:	gte	version:	3.3.0	Trust: 1.0
vendor:	plat home	model:	openblocks iot vx2	scope:	eq	version:	ver.4.0.0 (ver.3系)	Trust: 0.8
vendor:	plat home	model:	openblocks iot	scope:	eq	version:	vx2<4.0.0	Trust: 0.6
vendor:	plathome	model:	openblocks iot vx2	scope:	eq	version:	3.4.0	Trust: 0.6
vendor:	plathome	model:	openblocks iot vx2	scope:	eq	version:	3.3.1	Trust: 0.6
vendor:	plathome	model:	openblocks iot vx2	scope:	eq	version:	-	Trust: 0.6
vendor:	plathome	model:	openblocks iot vx2	scope:	eq	version:	3.3.0	Trust: 0.6
vendor:	plathome	model:	openblocks iot vx2	scope:	eq	version:	3.3.2	Trust: 0.6

sources: CNVD: CNVD-2020-15519 // JVNDB: JVNDB-2020-000020 // CNNVD: CNNVD-202003-152 // NVD: CVE-2020-5536

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-5536
value:	HIGH
Trust: 1.0
IPA:	JVNDB-2020-000020
value:	HIGH
Trust: 0.8
IPA:	JVNDB-2020-000020
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-15519
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202003-152
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-5536
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
IPA:	JVNDB-2020-000020
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
IPA:	JVNDB-2020-000020
severity:	MEDIUM
baseScore:	4.8
vectorString:	AV:A/AC:L/AU:N/C:N/I:P/A:P
accessVector:	ADJACENT NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-15519
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-5536
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
IPA:	JVNDB-2020-000020
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
IPA:	JVNDB-2020-000020
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-15519 // JVNDB: JVNDB-2020-000020 // JVNDB: JVNDB-2020-000020 // CNNVD: CNNVD-202003-152 // NVD: CVE-2020-5536

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.8
problemtype:	CWE-78	Trust: 0.8

sources: JVNDB: JVNDB-2020-000020 // NVD: CVE-2020-5536

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202003-152

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202003-152

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-000020

PATCH

title:	OpenBlocks IoT VX2　ソフトウェアリリース情報｜FW4.0.0	url:	https://www.plathome.co.jp/software/vx2-v4-0-0/	Trust: 0.8
title:	Patch for OpenBlocks IoT VX2 Certification Bypass Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/206909	Trust: 0.6
title:	Plat’Home OpenBlocks IoT VX2 Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=111601	Trust: 0.6

sources: CNVD: CNVD-2020-15519 // JVNDB: JVNDB-2020-000020 // CNNVD: CNNVD-202003-152

EXTERNAL IDS

db:	NVD	id:	CVE-2020-5536	Trust: 3.0
db:	JVN	id:	JVN19666251	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-000020	Trust: 1.4
db:	CNVD	id:	CNVD-2020-15519	Trust: 0.6
db:	CNNVD	id:	CNNVD-202003-152	Trust: 0.6

sources: CNVD: CNVD-2020-15519 // JVNDB: JVNDB-2020-000020 // CNNVD: CNNVD-202003-152 // NVD: CVE-2020-5536

REFERENCES

url:	https://jvn.jp/en/jp/jvn19666251/index.html	Trust: 2.2
url:	https://www.plathome.co.jp/software/vx2-v4-0-0/	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5535	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5536	Trust: 0.8
url:	https://jvn.jp/jp/jvn19666251/index.html	Trust: 0.8
url:	https://jvndb.jvn.jp/en/contents/2020/jvndb-2020-000020.html	Trust: 0.6

sources: CNVD: CNVD-2020-15519 // JVNDB: JVNDB-2020-000020 // CNNVD: CNNVD-202003-152 // NVD: CVE-2020-5536

SOURCES

db:	CNVD	id:	CNVD-2020-15519
db:	JVNDB	id:	JVNDB-2020-000020
db:	CNNVD	id:	CNNVD-202003-152
db:	NVD	id:	CVE-2020-5536

LAST UPDATE DATE

2024-11-23T22:33:33.392000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-15519	date:	2020-03-05T00:00:00
db:	JVNDB	id:	JVNDB-2020-000020	date:	2020-03-03T00:00:00
db:	CNNVD	id:	CNNVD-202003-152	date:	2020-03-13T00:00:00
db:	NVD	id:	CVE-2020-5536	date:	2024-11-21T05:34:14.083

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-15519	date:	2020-03-05T00:00:00
db:	JVNDB	id:	JVNDB-2020-000020	date:	2020-03-03T00:00:00
db:	CNNVD	id:	CNNVD-202003-152	date:	2020-03-03T00:00:00
db:	NVD	id:	CVE-2020-5536	date:	2020-03-04T02:15:13.347