Details of VAR-202004-2037

ID

VAR-202004-2037

CVE

CVE-2020-6992

TITLE

GE Digital Made CIMPLICITY Improper authority management vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003278

DESCRIPTION

A local privilege escalation vulnerability has been identified in the GE Digital CIMPLICITY HMI/SCADA product v10.0 and prior. If exploited, this vulnerability could allow an adversary to modify the system, leading to the arbitrary execution of code. This vulnerability is only exploitable if an attacker has access to an authenticated session. GE Digital CIMPLICITY v11.0, released January 2020, contains mitigation for this local privilege escalation vulnerability. GE Digital recommends all users upgrade to GE CIMPLICITY v11.0 or newer. CIMPLICITY Inappropriate authority management vulnerabilities (CWE-269) Exists. GE CIMPLICITY is a client/server-based HMI/SCADA solution from General Electric (GE) of the United States. The solution can collect and share real-time and historical data between all levels of the enterprise, and realize the operation visualization of process, equipment and resource monitoring

Trust: 2.79

sources: NVD: CVE-2020-6992 // JVNDB: JVNDB-2020-003278 // CNVD: CNVD-2020-22318 // IVD: 7da42928-7c08-4225-bfdf-8978c341a37a // IVD: 5bcac29d-8726-4410-b55b-bf233b8aaeaf // IVD: 6d889fac-0db2-48e3-982e-eac48e690731 // VULMON: CVE-2020-6992

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.2

sources: IVD: 7da42928-7c08-4225-bfdf-8978c341a37a // IVD: 5bcac29d-8726-4410-b55b-bf233b8aaeaf // IVD: 6d889fac-0db2-48e3-982e-eac48e690731 // CNVD: CNVD-2020-22318

AFFECTED PRODUCTS

vendor:	ge	model:	cimplicity	scope:	lte	version:	10.0	Trust: 1.0
vendor:	general electric	model:	cimplicity	scope:	eq	version:	10.0	Trust: 0.8
vendor:	cimplicity	model:	-	scope:	eq	version:	*	Trust: 0.6
vendor:	ge	model:	cimplicity	scope:	lte	version:	<=v10.0	Trust: 0.6

sources: IVD: 7da42928-7c08-4225-bfdf-8978c341a37a // IVD: 5bcac29d-8726-4410-b55b-bf233b8aaeaf // IVD: 6d889fac-0db2-48e3-982e-eac48e690731 // CNVD: CNVD-2020-22318 // JVNDB: JVNDB-2020-003278 // NVD: CVE-2020-6992

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-6992
value:	MEDIUM
Trust: 1.0
IPA:	JVNDB-2020-003278
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-22318
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202004-378
value:	MEDIUM
Trust: 0.6
IVD:	7da42928-7c08-4225-bfdf-8978c341a37a
value:	MEDIUM
Trust: 0.2
IVD:	5bcac29d-8726-4410-b55b-bf233b8aaeaf
value:	MEDIUM
Trust: 0.2
IVD:	6d889fac-0db2-48e3-982e-eac48e690731
value:	MEDIUM
Trust: 0.2
VULMON:	CVE-2020-6992
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-6992
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2020-22318
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7da42928-7c08-4225-bfdf-8978c341a37a
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	5bcac29d-8726-4410-b55b-bf233b8aaeaf
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	6d889fac-0db2-48e3-982e-eac48e690731
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2020-6992
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.8
impactScore:	5.9
version:	3.1
Trust: 1.0
IPA score:	JVNDB-2020-003278
baseSeverity:	MEDIUM
baseScore:	6.0
vectorString:	CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: 7da42928-7c08-4225-bfdf-8978c341a37a // IVD: 5bcac29d-8726-4410-b55b-bf233b8aaeaf // IVD: 6d889fac-0db2-48e3-982e-eac48e690731 // CNVD: CNVD-2020-22318 // VULMON: CVE-2020-6992 // JVNDB: JVNDB-2020-003278 // CNNVD: CNNVD-202004-378 // NVD: CVE-2020-6992

PROBLEMTYPE DATA

problemtype:

CWE-269

Trust: 1.8

sources: JVNDB: JVNDB-2020-003278 // NVD: CVE-2020-6992

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202004-378

TYPE

other

Trust: 1.2

sources: IVD: 7da42928-7c08-4225-bfdf-8978c341a37a // IVD: 5bcac29d-8726-4410-b55b-bf233b8aaeaf // IVD: 6d889fac-0db2-48e3-982e-eac48e690731 // CNNVD: CNNVD-202004-378

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-003278

PATCH

title:	Customer Center	url:	https://digitalsupport.ge.com/communities/CC_Contact	Trust: 0.8
title:	Patch for GE CIMPLICITY permission elevation vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/213375	Trust: 0.6
title:	GE CIMPLICITY Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=115598	Trust: 0.6
title:	-	url:	https://github.com/JianmingGuo/Sicsp_ICS	Trust: 0.1

sources: CNVD: CNVD-2020-22318 // VULMON: CVE-2020-6992 // JVNDB: JVNDB-2020-003278 // CNNVD: CNNVD-202004-378

EXTERNAL IDS

db:	NVD	id:	CVE-2020-6992	Trust: 3.7
db:	ICS CERT	id:	ICSA-20-098-02	Trust: 3.1
db:	CNVD	id:	CNVD-2020-22318	Trust: 1.2
db:	CNNVD	id:	CNNVD-202004-378	Trust: 1.2
db:	JVN	id:	JVNVU95253418	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-003278	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.1252	Trust: 0.6
db:	NSFOCUS	id:	47765	Trust: 0.6
db:	IVD	id:	7DA42928-7C08-4225-BFDF-8978C341A37A	Trust: 0.2
db:	IVD	id:	5BCAC29D-8726-4410-B55B-BF233B8AAEAF	Trust: 0.2
db:	IVD	id:	6D889FAC-0DB2-48E3-982E-EAC48E690731	Trust: 0.2
db:	VULMON	id:	CVE-2020-6992	Trust: 0.1

sources: IVD: 7da42928-7c08-4225-bfdf-8978c341a37a // IVD: 5bcac29d-8726-4410-b55b-bf233b8aaeaf // IVD: 6d889fac-0db2-48e3-982e-eac48e690731 // CNVD: CNVD-2020-22318 // VULMON: CVE-2020-6992 // JVNDB: JVNDB-2020-003278 // CNNVD: CNNVD-202004-378 // NVD: CVE-2020-6992

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-20-098-02	Trust: 3.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-6992	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu95253418/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-6992	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/47765	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.1252/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/269.html	Trust: 0.1
url:	https://github.com/jianmingguo/sicsp_ics	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2020-22318 // VULMON: CVE-2020-6992 // JVNDB: JVNDB-2020-003278 // CNNVD: CNNVD-202004-378 // NVD: CVE-2020-6992

SOURCES

db:	IVD	id:	7da42928-7c08-4225-bfdf-8978c341a37a
db:	IVD	id:	5bcac29d-8726-4410-b55b-bf233b8aaeaf
db:	IVD	id:	6d889fac-0db2-48e3-982e-eac48e690731
db:	CNVD	id:	CNVD-2020-22318
db:	VULMON	id:	CVE-2020-6992
db:	JVNDB	id:	JVNDB-2020-003278
db:	CNNVD	id:	CNNVD-202004-378
db:	NVD	id:	CVE-2020-6992

LAST UPDATE DATE

2024-11-23T21:35:52.244000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-22318	date:	2020-04-12T00:00:00
db:	VULMON	id:	CVE-2020-6992	date:	2020-04-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-003278	date:	2020-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202004-378	date:	2020-08-14T00:00:00
db:	NVD	id:	CVE-2020-6992	date:	2024-11-21T05:36:27.013

SOURCES RELEASE DATE

db:	IVD	id:	7da42928-7c08-4225-bfdf-8978c341a37a	date:	2020-04-07T00:00:00
db:	IVD	id:	5bcac29d-8726-4410-b55b-bf233b8aaeaf	date:	2020-04-07T00:00:00
db:	IVD	id:	6d889fac-0db2-48e3-982e-eac48e690731	date:	2020-04-07T00:00:00
db:	CNVD	id:	CNVD-2020-22318	date:	2020-04-10T00:00:00
db:	VULMON	id:	CVE-2020-6992	date:	2020-04-15T00:00:00
db:	JVNDB	id:	JVNDB-2020-003278	date:	2020-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202004-378	date:	2020-04-07T00:00:00
db:	NVD	id:	CVE-2020-6992	date:	2020-04-15T17:15:14.953