Details of VAR-202004-0057

ID

VAR-202004-0057

CVE

CVE-2020-10641

TITLE

Inductive Automation Made Ignition 8 Gateway Improper access control vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003714

DESCRIPTION

An unprotected logging route may allow an attacker to write endless log statements into the database without space limits or authentication. This results in consuming the entire available hard-disk space on the Ignition 8 Gateway (versions prior to 8.0.10), causing a denial-of-service condition. Inductive Automation Provided by Ignition 8 Gateway contains an improper access control vulnerability. Ignition 8 Gateway teeth, Inductive Automation Industrial software provided by. Ignition 8 Gateway has an improper access control vulnerability when writing logs to the database due to lack of authentication or data usage space restrictions. (CWE-284) exists.A remote third party writes endless logs to the database, causing a shortage of free space on the hard disk and causing service disruption. (DoS) condition may be caused. The platform supports SCADA (data acquisition and monitoring system), HMI (human machine interface), etc

Trust: 2.34

sources: NVD: CVE-2020-10641 // JVNDB: JVNDB-2020-003714 // CNVD: CNVD-2020-57119 // VULHUB: VHN-163140 // VULMON: CVE-2020-10641

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-57119

AFFECTED PRODUCTS

vendor:	inductiveautomation	model:	ignition gateway	scope:	gte	version:	8.0	Trust: 1.0
vendor:	inductiveautomation	model:	ignition gateway	scope:	lt	version:	8.0.10	Trust: 1.0
vendor:	inductive automation	model:	ignition gateway	scope:	eq	version:	-	Trust: 0.8
vendor:	inductive automation	model:	ignition gateway	scope:	-	version:	-	Trust: 0.8
vendor:	inductive automation	model:	ignition gateway	scope:	lt	version:	8.0.10 earlier	Trust: 0.8
vendor:	inductive	model:	automation ignition gateway	scope:	eq	version:	8<8.0.10	Trust: 0.6
vendor:	inductiveautomation	model:	ignition gateway	scope:	eq	version:	8.0	Trust: 0.1
vendor:	inductiveautomation	model:	ignition gateway	scope:	eq	version:	8.0.1	Trust: 0.1
vendor:	inductiveautomation	model:	ignition gateway	scope:	eq	version:	8.0.2	Trust: 0.1
vendor:	inductiveautomation	model:	ignition gateway	scope:	eq	version:	8.0.3	Trust: 0.1
vendor:	inductiveautomation	model:	ignition gateway	scope:	eq	version:	8.0.4	Trust: 0.1
vendor:	inductiveautomation	model:	ignition gateway	scope:	eq	version:	8.0.5	Trust: 0.1
vendor:	inductiveautomation	model:	ignition gateway	scope:	eq	version:	8.0.6	Trust: 0.1
vendor:	inductiveautomation	model:	ignition gateway	scope:	eq	version:	8.0.7	Trust: 0.1
vendor:	inductiveautomation	model:	ignition gateway	scope:	eq	version:	8.0.8	Trust: 0.1
vendor:	inductiveautomation	model:	ignition gateway	scope:	eq	version:	8.0.9	Trust: 0.1

sources: CNVD: CNVD-2020-57119 // VULMON: CVE-2020-10641 // JVNDB: JVNDB-2020-003714 // NVD: CVE-2020-10641

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-10641
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2020-003714
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2020-57119
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202004-1850
value:	HIGH
Trust: 0.6
VULHUB:	VHN-163140
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2020-10641
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-10641
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2020-57119
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-163140
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-10641
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2020-003714
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-57119 // VULHUB: VHN-163140 // VULMON: CVE-2020-10641 // JVNDB: JVNDB-2020-003714 // CNNVD: CNNVD-202004-1850 // NVD: CVE-2020-10641

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.1
problemtype:	CWE-284	Trust: 1.0
problemtype:	Inappropriate access control (CWE-284) [JPCERT/CC evaluation ]	Trust: 0.8
problemtype:	CWE-400	Trust: 0.1

sources: VULHUB: VHN-163140 // JVNDB: JVNDB-2020-003714 // NVD: CVE-2020-10641

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-1850

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202004-1850

PATCH

title:	Download Ignition	url:	https://inductiveautomation.com/downloads/	Trust: 0.8
title:	Patch for Inductive Automation Ignition 8 Gateway resource management error vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/236707	Trust: 0.6
title:	Ignition 8 Gateway Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=116325	Trust: 0.6

sources: CNVD: CNVD-2020-57119 // JVNDB: JVNDB-2020-003714 // CNNVD: CNNVD-202004-1850

EXTERNAL IDS

db:	NVD	id:	CVE-2020-10641	Trust: 4.0
db:	ICS CERT	id:	ICSA-20-112-01	Trust: 3.2
db:	JVN	id:	JVNVU92492058	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-003714	Trust: 0.8
db:	CNVD	id:	CNVD-2020-57119	Trust: 0.7
db:	CNNVD	id:	CNNVD-202004-1850	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.1403	Trust: 0.6
db:	NSFOCUS	id:	47367	Trust: 0.6
db:	VULHUB	id:	VHN-163140	Trust: 0.1
db:	VULMON	id:	CVE-2020-10641	Trust: 0.1

sources: CNVD: CNVD-2020-57119 // VULHUB: VHN-163140 // VULMON: CVE-2020-10641 // JVNDB: JVNDB-2020-003714 // CNNVD: CNNVD-202004-1850 // NVD: CVE-2020-10641

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-20-112-01	Trust: 3.2
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10641	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu92492058/	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/47367	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1403/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/400.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/180237	Trust: 0.1

sources: CNVD: CNVD-2020-57119 // VULHUB: VHN-163140 // VULMON: CVE-2020-10641 // JVNDB: JVNDB-2020-003714 // CNNVD: CNNVD-202004-1850 // NVD: CVE-2020-10641

SOURCES

db:	CNVD	id:	CNVD-2020-57119
db:	VULHUB	id:	VHN-163140
db:	VULMON	id:	CVE-2020-10641
db:	JVNDB	id:	JVNDB-2020-003714
db:	CNNVD	id:	CNNVD-202004-1850
db:	NVD	id:	CVE-2020-10641

LAST UPDATE DATE

2024-11-23T23:11:28.541000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-57119	date:	2020-10-18T00:00:00
db:	VULHUB	id:	VHN-163140	date:	2021-12-20T00:00:00
db:	VULMON	id:	CVE-2020-10641	date:	2020-05-06T00:00:00
db:	JVNDB	id:	JVNDB-2020-003714	date:	2023-11-08T07:22:00
db:	CNNVD	id:	CNNVD-202004-1850	date:	2021-12-21T00:00:00
db:	NVD	id:	CVE-2020-10641	date:	2024-11-21T04:55:45.403

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-57119	date:	2020-10-18T00:00:00
db:	VULHUB	id:	VHN-163140	date:	2020-04-28T00:00:00
db:	VULMON	id:	CVE-2020-10641	date:	2020-04-28T00:00:00
db:	JVNDB	id:	JVNDB-2020-003714	date:	2020-04-23T00:00:00
db:	CNNVD	id:	CNNVD-202004-1850	date:	2020-04-21T00:00:00
db:	NVD	id:	CVE-2020-10641	date:	2020-04-28T19:15:12.207