Details of VAR-202005-0315

ID

VAR-202005-0315

CVE

CVE-2020-12042

TITLE

Opto 22 SoftPAC Project Digital Signature Verification Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-005449

DESCRIPTION

Opto 22 SoftPAC Project Version 9.6 and prior. Paths specified within the zip files used to update the SoftPAC firmware are not sanitized. As a result, an attacker with user privileges can gain arbitrary file write access with system access. Opto 22 SoftPAC Project Exists in a digital signature validation vulnerability.Information may be tampered with. The product can provide functions such as industrial automation, process control, building automation, remote monitoring, data acquisition, and industrial Internet of Things

Trust: 3.06

sources: NVD: CVE-2020-12042 // JVNDB: JVNDB-2020-005449 // CNVD: CNVD-2020-29560 // CNNVD: CNNVD-202005-806 // IVD: a6c16f43-3c4b-444c-8a13-aa49139c3e50 // IVD: e5b22756-8c85-4226-9499-fa6679cb753c

IOT TAXONOMY

category:	['IoT', 'ICS']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.4

sources: IVD: a6c16f43-3c4b-444c-8a13-aa49139c3e50 // IVD: e5b22756-8c85-4226-9499-fa6679cb753c // CNVD: CNVD-2020-29560

AFFECTED PRODUCTS

vendor:	opto22	model:	softpac project	scope:	lte	version:	9.6	Trust: 1.0
vendor:	opto 22	model:	softpac project	scope:	eq	version:	9.6	Trust: 0.8
vendor:	opto22	model:	pac control basic	scope:	lte	version:	<=9.6	Trust: 0.6
vendor:	softpac	model:	-	scope:	eq	version:	*	Trust: 0.4

sources: IVD: a6c16f43-3c4b-444c-8a13-aa49139c3e50 // IVD: e5b22756-8c85-4226-9499-fa6679cb753c // CNVD: CNVD-2020-29560 // JVNDB: JVNDB-2020-005449 // NVD: CVE-2020-12042

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-12042
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-005449
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-29560
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202005-806
value:	MEDIUM
Trust: 0.6
IVD:	a6c16f43-3c4b-444c-8a13-aa49139c3e50
value:	MEDIUM
Trust: 0.2
IVD:	e5b22756-8c85-4226-9499-fa6679cb753c
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2020-12042
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-005449
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-29560
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	a6c16f43-3c4b-444c-8a13-aa49139c3e50
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	e5b22756-8c85-4226-9499-fa6679cb753c
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2020-12042
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-005449
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: a6c16f43-3c4b-444c-8a13-aa49139c3e50 // IVD: e5b22756-8c85-4226-9499-fa6679cb753c // CNVD: CNVD-2020-29560 // JVNDB: JVNDB-2020-005449 // CNNVD: CNNVD-202005-806 // NVD: CVE-2020-12042

PROBLEMTYPE DATA

problemtype:

CWE-347

Trust: 1.8

sources: JVNDB: JVNDB-2020-005449 // NVD: CVE-2020-12042

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202005-806

TYPE

data forgery

Trust: 0.6

sources: CNNVD: CNNVD-202005-806

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-005449

PATCH

title:	Top Page	url:	https://www.opto22.com/	Trust: 0.8
title:	Patch for Opto 22 SoftPAC Project Data Forgery Vulnerability (CNVD-2020-29560)	url:	https://www.cnvd.org.cn/patchInfo/show/218473	Trust: 0.6
title:	Opto 22 SoftPAC Project Repair measures for data forgery problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=118759	Trust: 0.6

sources: CNVD: CNVD-2020-29560 // JVNDB: JVNDB-2020-005449 // CNNVD: CNNVD-202005-806

EXTERNAL IDS

db:	NVD	id:	CVE-2020-12042	Trust: 3.4
db:	ICS CERT	id:	ICSA-20-135-01	Trust: 2.4
db:	CNVD	id:	CNVD-2020-29560	Trust: 1.0
db:	CNNVD	id:	CNNVD-202005-806	Trust: 1.0
db:	JVN	id:	JVNVU98824176	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-005449	Trust: 0.8
db:	NSFOCUS	id:	46726	Trust: 0.6
db:	IVD	id:	A6C16F43-3C4B-444C-8A13-AA49139C3E50	Trust: 0.2
db:	IVD	id:	E5B22756-8C85-4226-9499-FA6679CB753C	Trust: 0.2

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-20-135-01	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12042	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12042	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu98824176/index.html	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/46726	Trust: 0.6

sources: CNVD: CNVD-2020-29560 // JVNDB: JVNDB-2020-005449 // CNNVD: CNNVD-202005-806 // NVD: CVE-2020-12042

CREDITS

Mashav Sapir of Claroty

Trust: 0.6

sources: CNNVD: CNNVD-202005-806

SOURCES

db:	IVD	id:	a6c16f43-3c4b-444c-8a13-aa49139c3e50
db:	IVD	id:	e5b22756-8c85-4226-9499-fa6679cb753c
db:	CNVD	id:	CNVD-2020-29560
db:	JVNDB	id:	JVNDB-2020-005449
db:	CNNVD	id:	CNNVD-202005-806
db:	NVD	id:	CVE-2020-12042

LAST UPDATE DATE

2024-11-23T22:05:39.104000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-29560	date:	2020-05-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-005449	date:	2020-06-15T00:00:00
db:	CNNVD	id:	CNNVD-202005-806	date:	2020-05-22T00:00:00
db:	NVD	id:	CVE-2020-12042	date:	2024-11-21T04:59:10.177

SOURCES RELEASE DATE

db:	IVD	id:	a6c16f43-3c4b-444c-8a13-aa49139c3e50	date:	2020-05-14T00:00:00
db:	IVD	id:	e5b22756-8c85-4226-9499-fa6679cb753c	date:	2020-05-14T00:00:00
db:	CNVD	id:	CNVD-2020-29560	date:	2020-05-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-005449	date:	2020-06-15T00:00:00
db:	CNNVD	id:	CNNVD-202005-806	date:	2020-05-14T00:00:00
db:	NVD	id:	CVE-2020-12042	date:	2020-05-14T21:15:13.103