Details of VAR-202005-0049

ID

VAR-202005-0049

CVE

CVE-2020-10620

TITLE

Opto 22 SoftPAC Project Authorization Issue Vulnerability

Trust: 1.0

sources: IVD: d250c32c-55c9-4fd5-b3ad-2f48bbde8d8a // IVD: f5e52199-3d15-476d-ad6c-04b032e1dfaa // CNVD: CNVD-2020-29559

DESCRIPTION

Opto 22 SoftPAC Project Version 9.6 and prior. SoftPAC communication does not include any credentials. This allows an attacker with network access to directly communicate with SoftPAC, including, for example, stopping the service remotely. Opto 22 SoftPAC Project Exists in a vulnerability related to lack of authentication.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. The product can provide functions such as industrial automation, process control, building automation, remote monitoring, data acquisition, and industrial Internet of Things. The vulnerability stems from the fact that no credentials are required when communicating with SoftPAC

Trust: 3.06

sources: NVD: CVE-2020-10620 // JVNDB: JVNDB-2020-005448 // CNVD: CNVD-2020-29559 // CNNVD: CNNVD-202005-801 // IVD: d250c32c-55c9-4fd5-b3ad-2f48bbde8d8a // IVD: f5e52199-3d15-476d-ad6c-04b032e1dfaa

IOT TAXONOMY

category:	['IoT', 'ICS']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.4

sources: IVD: d250c32c-55c9-4fd5-b3ad-2f48bbde8d8a // IVD: f5e52199-3d15-476d-ad6c-04b032e1dfaa // CNVD: CNVD-2020-29559

AFFECTED PRODUCTS

vendor:	opto22	model:	softpac project	scope:	lte	version:	9.6	Trust: 1.0
vendor:	opto 22	model:	softpac project	scope:	eq	version:	9.6	Trust: 0.8
vendor:	opto22	model:	pac control basic	scope:	lte	version:	<=9.6	Trust: 0.6
vendor:	softpac	model:	-	scope:	eq	version:	*	Trust: 0.4

sources: IVD: d250c32c-55c9-4fd5-b3ad-2f48bbde8d8a // IVD: f5e52199-3d15-476d-ad6c-04b032e1dfaa // CNVD: CNVD-2020-29559 // JVNDB: JVNDB-2020-005448 // NVD: CVE-2020-10620

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-10620
value:	CRITICAL
Trust: 1.0
NVD:	JVNDB-2020-005448
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2020-29559
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202005-801
value:	CRITICAL
Trust: 0.6
IVD:	d250c32c-55c9-4fd5-b3ad-2f48bbde8d8a
value:	HIGH
Trust: 0.2
IVD:	f5e52199-3d15-476d-ad6c-04b032e1dfaa
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2020-10620
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-005448
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-29559
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	d250c32c-55c9-4fd5-b3ad-2f48bbde8d8a
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	f5e52199-3d15-476d-ad6c-04b032e1dfaa
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2020-10620
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-005448
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: d250c32c-55c9-4fd5-b3ad-2f48bbde8d8a // IVD: f5e52199-3d15-476d-ad6c-04b032e1dfaa // CNVD: CNVD-2020-29559 // JVNDB: JVNDB-2020-005448 // CNNVD: CNNVD-202005-801 // NVD: CVE-2020-10620

PROBLEMTYPE DATA

problemtype:	CWE-862	Trust: 1.8
problemtype:	CWE-285	Trust: 1.0

sources: JVNDB: JVNDB-2020-005448 // NVD: CVE-2020-10620

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202005-801

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202005-801

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-005448

PATCH

title:	Top Page	url:	https://www.opto22.com/	Trust: 0.8
title:	Patch for Opto 22 SoftPAC Project authorization issue vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/218471	Trust: 0.6
title:	Opto 22 SoftPAC Project Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=118754	Trust: 0.6

sources: CNVD: CNVD-2020-29559 // JVNDB: JVNDB-2020-005448 // CNNVD: CNNVD-202005-801

EXTERNAL IDS

db:	NVD	id:	CVE-2020-10620	Trust: 3.4
db:	ICS CERT	id:	ICSA-20-135-01	Trust: 2.4
db:	CNVD	id:	CNVD-2020-29559	Trust: 1.0
db:	CNNVD	id:	CNNVD-202005-801	Trust: 1.0
db:	JVN	id:	JVNVU98824176	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-005448	Trust: 0.8
db:	NSFOCUS	id:	46724	Trust: 0.6
db:	IVD	id:	D250C32C-55C9-4FD5-B3AD-2F48BBDE8D8A	Trust: 0.2
db:	IVD	id:	F5E52199-3D15-476D-AD6C-04B032E1DFAA	Trust: 0.2

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-20-135-01	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10620	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10620	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu98824176/index.html	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/46724	Trust: 0.6

sources: CNVD: CNVD-2020-29559 // JVNDB: JVNDB-2020-005448 // CNNVD: CNNVD-202005-801 // NVD: CVE-2020-10620

CREDITS

Mashav Sapir of Claroty

Trust: 0.6

sources: CNNVD: CNNVD-202005-801

SOURCES

db:	IVD	id:	d250c32c-55c9-4fd5-b3ad-2f48bbde8d8a
db:	IVD	id:	f5e52199-3d15-476d-ad6c-04b032e1dfaa
db:	CNVD	id:	CNVD-2020-29559
db:	JVNDB	id:	JVNDB-2020-005448
db:	CNNVD	id:	CNNVD-202005-801
db:	NVD	id:	CVE-2020-10620

LAST UPDATE DATE

2024-11-23T22:05:38.998000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-29559	date:	2020-05-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-005448	date:	2020-06-15T00:00:00
db:	CNNVD	id:	CNNVD-202005-801	date:	2020-05-22T00:00:00
db:	NVD	id:	CVE-2020-10620	date:	2024-11-21T04:55:42.820

SOURCES RELEASE DATE

db:	IVD	id:	d250c32c-55c9-4fd5-b3ad-2f48bbde8d8a	date:	2020-05-14T00:00:00
db:	IVD	id:	f5e52199-3d15-476d-ad6c-04b032e1dfaa	date:	2020-05-14T00:00:00
db:	CNVD	id:	CNVD-2020-29559	date:	2020-05-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-005448	date:	2020-06-15T00:00:00
db:	CNNVD	id:	CNNVD-202005-801	date:	2020-05-14T00:00:00
db:	NVD	id:	CVE-2020-10620	date:	2020-05-14T21:15:13.010