Sign-up

ID

VAR-202004-0525


CVE

CVE-2020-12134


TITLE

Nanometrics Centaur and TitanSMA Vulnerability regarding lack of resource release after valid lifetime in

Trust: 0.8

sources: JVNDB: JVNDB-2020-004932

DESCRIPTION

Nanometrics Centaur through 4.3.23 and TitanSMA through 4.2.20 mishandle access control for the syslog log. Nanometrics Centaur and TitanSMA Is vulnerable to a lack of resource release after a valid lifetime.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Nanometrics Centaur and Nanometrics TitanSMA are both data loggers from Nanometrics, Canada. There are security vulnerabilities in Nanometrics Centaur 4.3.23 and earlier versions and TitanSMA 4.2.20 and earlier versions. No detailed vulnerability details are currently provided. The Centaur digital recorder is a portable geophysical sensing acquisition system that consists of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. Its ease of use simplifies high performance geophysical sensing deployments in both remote and networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for infrasound and similar geophysical sensor recording applications requiring sample rates up to 5000 sps.<br/><br/> The TitanSMA is a strong motion accelerograph designed for high precision observational and structural engineering applications, where scientists and engineers require exceptional dynamic range over a wide frequency band.An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protectcritical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT)suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224.As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage.Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTPpackets, and cause the shared buffer to 'bleed' contents of shared memory and store these in systemlogs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sentpacket) which can be combined to leak sensitive data which can be used to perform session hijackingand authentication bypass scenarios.Tested on: Jetty 9.4.z-SNAPSHOT. Ignition is a powerful industrial application platform withfully integrated development tools for building SCADA, MES, and IIoTsolutions.Remote unauthenticated atackers are able to read arbitrary datafrom other HTTP sessions because Ignition uses a vulnerable Jetty server.When the Jetty web server receives a HTTP request, the below code is usedto parse through the HTTP headers and their associated values. The serverbegins by looping through each character for a given header value and checksthe following:<br/><br/>- On Line 1164, the server checks if the character is printable ASCII ornot a valid ASCII character.<br/>- On Line 1172, the server checks if the character is a space or tab.<br/>- On Line 1175, the server checks if the character is a line feed.<br/>- If the character is non-printable ASCII (or less than 0x20), then allof the checks above are skipped over and the code throws an 'IllegalCharacter'exception on line 1186, passing in the illegal character and a shared buffer.<br/><br/> --------------------------------------------------------------------------------<br/><br/><code>File: jetty-http\src\main\java\org\eclipse\jetty\http\HttpParser.java<br/>---------------------------------------------------------------------------<br/>920: protected boolean parseHeaders(ByteBuffer buffer)<br/>921: {<br/>[..snip..]<br/>1163: case HEADER_VALUE:<br/>1164: if (ch&gt;HttpTokens.SPACE || ch&lt;0)<br/>1165: {<br/>1166: _string.append((char)(0xff&amp;ch));<br/>1167: _length=_string.length();<br/>1168: setState(State.HEADER_IN_VALUE);<br/>1169: break;<br/>1170: }<br/>1171:<br/>1172: if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB)<br/>1173: break;<br/>1174:<br/>1175: if (ch==HttpTokens.LINE_FEED)<br/>1176: {<br/>1177: if (_length &gt; 0)<br/>1178: {<br/>1179: _value=null;<br/>1180: _valueString=(_valueString==null)?takeString():(_valueString+" "+takeString());<br/>1181: }<br/>1182: setState(State.HEADER);<br/>1183: break;<br/>1184: }<br/>1185:<br/>1186: throw new IllegalCharacter(ch,buffer);<br/></code><br/> --------------------------------------------------------------------------------<br/><br/>Tested on: Microsoft Windows 7 Professional SP1 (EN)Microsoft Windows 7 Ultimate SP1 (EN)Ubuntu Linux 14.04Mac OS XHP-UX ItaniumJetty(9.2.z-SNAPSHOT)Java/1.8.0_73Java/1.8.0_66

Trust: 2.43

sources: NVD: CVE-2020-12134 // JVNDB: JVNDB-2020-004932 // CNVD: CNVD-2021-28723 // ZSL: ZSL-2020-5562 // ZSL: ZSL-2016-5306 // VULMON: CVE-2020-12134

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-28723

AFFECTED PRODUCTS

vendor:nanometricsmodel:titansmascope:eqversion:4.2.20

Trust: 1.5

vendor:nanometricsmodel:titansmascope:lteversion:4.2.20

Trust: 1.0

vendor:nanometricsmodel:centaurscope:lteversion:4.3.23

Trust: 1.0

vendor:nanometricsmodel:centaurscope:eqversion:4.3.23

Trust: 0.9

vendor:nanometricsmodel:nanometricsscope:eqversion:4.3.23

Trust: 0.6

vendor:nanometricsmodel:centaur / titansma unauthenticated remote memory leak exploitscope:ltversion:centaur &lt;= 4.3.23

Trust: 0.1

vendor:nanometricsmodel:centaur / titansma unauthenticated remote memory leak exploitscope:ltversion:titansma &lt;= 4.2.20

Trust: 0.1

vendor:inductive automationmodel:ignitionscope:eqversion:7.8.1 (b2016012216) and 7.8.0 (b2015101414)

Trust: 0.1

sources: ZSL: ZSL-2020-5562 // ZSL: ZSL-2016-5306 // CNVD: CNVD-2021-28723 // VULMON: CVE-2020-12134 // JVNDB: JVNDB-2020-004932 // NVD: CVE-2020-12134

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-12134
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2020-004932
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2021-28723
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202004-2084
value: MEDIUM

Trust: 0.6

ZSL: ZSL-2020-5562
value: (5/5)

Trust: 0.1

ZSL: ZSL-2016-5306
value: (3/5)

Trust: 0.1

VULMON: CVE-2020-12134
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-12134
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-004932
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2021-28723
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-12134
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-004932
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZSL: ZSL-2020-5562 // ZSL: ZSL-2016-5306 // CNVD: CNVD-2021-28723 // VULMON: CVE-2020-12134 // JVNDB: JVNDB-2020-004932 // CNNVD: CNNVD-202004-2084 // NVD: CVE-2020-12134

PROBLEMTYPE DATA

problemtype:CWE-772

Trust: 1.8

sources: JVNDB: JVNDB-2020-004932 // NVD: CVE-2020-12134

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-2084

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202004-2084

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-004932

EXPLOIT AVAILABILITY
sources:
            
            
            ZSL: ZSL-2020-5562 // 
            
            
            
            ZSL: ZSL-2016-5306

PATCH
title:Top Pageurl:https://www.nanometrics.ca/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2020-004932

EXTERNAL IDS
db:NVDid:CVE-2020-12134
Trust: 3.2
db:ZSLid:ZSL-2020-5562
Trust: 2.6
db:JVNDBid:JVNDB-2020-004932
Trust: 0.8
db:CNVDid:CNVD-2021-28723
Trust: 0.6
db:CNNVDid:CNNVD-202004-2084
Trust: 0.6
db:ZSLid:ZSL-2016-5306
Trust: 0.2
db:CXSECURITYid:WLB-2020020091
Trust: 0.1
db:PACKETSTORMid:156387
Trust: 0.1
db:EXPLOIT-DBid:48098
Trust: 0.1
db:NVDid:CVE-2015-2080
Trust: 0.1
db:EXPLOIT-DBid:39455
Trust: 0.1
db:PACKETSTORMid:135804
Trust: 0.1
db:CXSECURITYid:WLB-2016020156
Trust: 0.1
db:VULMONid:CVE-2020-12134
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2020-5562 // 
            
            
            
            ZSL: ZSL-2016-5306 // 
            
            
            
            CNVD: CNVD-2021-28723 // 
            
            
            
            VULMON: CVE-2020-12134 // 
            
            
            
            JVNDB: JVNDB-2020-004932 // 
            
            
            
            CNNVD: CNNVD-202004-2084 // 
            
            
            
            NVD: CVE-2020-12134

REFERENCES
url:https://www.zeroscience.mk/en/vulnerabilities/zsl-2020-5562.php
Trust: 2.5
url:https://nvd.nist.gov/vuln/detail/cve-2020-12134
Trust: 2.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12134
Trust: 0.9
url:https://nvd.nist.gov/vuln/detail/cve-2015-2080
Trust: 0.1
url:https://www.zeroscience.mk/en/vulnerabilities/zsl-2016-5306.php
Trust: 0.1
url:https://packetstormsecurity.com/files/156387
Trust: 0.1
url:https://cxsecurity.com/issue/wlb-2020020091
Trust: 0.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/176352
Trust: 0.1
url:https://www.exploit-db.com/exploits/48098
Trust: 0.1
url:http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
Trust: 0.1
url:https://github.com/gdssecurity/jetleak-testing-script/blob/master/jetleak_tester.py
Trust: 0.1
url:http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md
Trust: 0.1
url:https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
Trust: 0.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2080
Trust: 0.1
url:https://cxsecurity.com/issue/wlb-2016020156
Trust: 0.1
url:https://packetstormsecurity.com/files/135804
Trust: 0.1
url:https://www.exploit-db.com/exploits/39455/
Trust: 0.1
url:http://www.vfocus.net/art/20160222/12576.html
Trust: 0.1
url:https://www.incibe.es/securityadvice/cert_en/early_warning/ics_advisories/fuga_datos_inductive_automation_ignition
Trust: 0.1
url:https://cwe.mitre.org/data/definitions/772.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2020-5562 // 
            
            
            
            ZSL: ZSL-2016-5306 // 
            
            
            
            CNVD: CNVD-2021-28723 // 
            
            
            
            VULMON: CVE-2020-12134 // 
            
            
            
            JVNDB: JVNDB-2020-004932 // 
            
            
            
            CNNVD: CNNVD-202004-2084 // 
            
            
            
            NVD: CVE-2020-12134

CREDITS
Vulnerability discovered by byteGoblin
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2020-5562

SOURCES
db:ZSLid:ZSL-2020-5562
db:ZSLid:ZSL-2016-5306
db:CNVDid:CNVD-2021-28723
db:VULMONid:CVE-2020-12134
db:JVNDBid:JVNDB-2020-004932
db:CNNVDid:CNNVD-202004-2084
db:NVDid:CVE-2020-12134

LAST UPDATE DATE
2024-11-23T22:07:43.059000+00:00

SOURCES UPDATE DATE
db:ZSLid:ZSL-2020-5562date:2020-04-26T00:00:00
db:ZSLid:ZSL-2016-5306date:2016-02-22T00:00:00
db:CNVDid:CNVD-2021-28723date:2021-04-16T00:00:00
db:VULMONid:CVE-2020-12134date:2020-05-06T00:00:00
db:JVNDBid:JVNDB-2020-004932date:2020-06-03T00:00:00
db:CNNVDid:CNNVD-202004-2084date:2020-05-15T00:00:00
db:NVDid:CVE-2020-12134date:2024-11-21T04:59:19.137

SOURCES RELEASE DATE
db:ZSLid:ZSL-2020-5562date:2020-02-15T00:00:00
db:ZSLid:ZSL-2016-5306date:2016-02-16T00:00:00
db:CNVDid:CNVD-2021-28723date:2021-04-16T00:00:00
db:VULMONid:CVE-2020-12134date:2020-04-24T00:00:00
db:JVNDBid:JVNDB-2020-004932date:2020-06-03T00:00:00
db:CNNVDid:CNNVD-202004-2084date:2020-04-23T00:00:00
db:NVDid:CVE-2020-12134date:2020-04-24T01:15:11.367