Details of VAR-202005-0316

ID

VAR-202005-0316

CVE

CVE-2020-12046

TITLE

Opto 22 SoftPAC Project Data Forgery Vulnerability

Trust: 1.0

sources: IVD: b22c0495-769f-48da-9ef6-5618146b0740 // IVD: 782afa90-ddc4-4a9c-81b0-baa6d02f4a98 // CNVD: CNVD-2020-29561

DESCRIPTION

Opto 22 SoftPAC Project Version 9.6 and prior. SoftPAC’s firmware files’ signatures are not verified upon firmware update. This allows an attacker to replace legitimate firmware files with malicious files. Opto 22 SoftPAC Project Exists in a digital signature validation vulnerability.Information may be tampered with. The product can provide functions such as industrial automation, process control, building automation, remote monitoring, data acquisition, and industrial Internet of Things

Trust: 3.06

sources: NVD: CVE-2020-12046 // JVNDB: JVNDB-2020-005450 // CNVD: CNVD-2020-29561 // CNNVD: CNNVD-202005-808 // IVD: b22c0495-769f-48da-9ef6-5618146b0740 // IVD: 782afa90-ddc4-4a9c-81b0-baa6d02f4a98

IOT TAXONOMY

category:	['IoT', 'ICS']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.4

sources: IVD: b22c0495-769f-48da-9ef6-5618146b0740 // IVD: 782afa90-ddc4-4a9c-81b0-baa6d02f4a98 // CNVD: CNVD-2020-29561

AFFECTED PRODUCTS

vendor:	opto22	model:	softpac project	scope:	lte	version:	9.6	Trust: 1.0
vendor:	opto 22	model:	softpac project	scope:	eq	version:	9.6	Trust: 0.8
vendor:	opto22	model:	pac control basic	scope:	lte	version:	<=9.6	Trust: 0.6
vendor:	softpac	model:	-	scope:	eq	version:	*	Trust: 0.4

sources: IVD: b22c0495-769f-48da-9ef6-5618146b0740 // IVD: 782afa90-ddc4-4a9c-81b0-baa6d02f4a98 // CNVD: CNVD-2020-29561 // JVNDB: JVNDB-2020-005450 // NVD: CVE-2020-12046

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-12046
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-005450
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-29561
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202005-808
value:	MEDIUM
Trust: 0.6
IVD:	b22c0495-769f-48da-9ef6-5618146b0740
value:	MEDIUM
Trust: 0.2
IVD:	782afa90-ddc4-4a9c-81b0-baa6d02f4a98
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2020-12046
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-005450
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-29561
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	b22c0495-769f-48da-9ef6-5618146b0740
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	782afa90-ddc4-4a9c-81b0-baa6d02f4a98
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2020-12046
baseSeverity:	MEDIUM
baseScore:	5.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.1
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-005450
baseSeverity:	MEDIUM
baseScore:	5.7
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: b22c0495-769f-48da-9ef6-5618146b0740 // IVD: 782afa90-ddc4-4a9c-81b0-baa6d02f4a98 // CNVD: CNVD-2020-29561 // JVNDB: JVNDB-2020-005450 // CNNVD: CNNVD-202005-808 // NVD: CVE-2020-12046

PROBLEMTYPE DATA

problemtype:

CWE-347

Trust: 1.8

sources: JVNDB: JVNDB-2020-005450 // NVD: CVE-2020-12046

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202005-808

TYPE

data forgery

Trust: 0.6

sources: CNNVD: CNNVD-202005-808

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-005450

PATCH

title:	Top Page	url:	https://www.opto22.com/	Trust: 0.8
title:	Patch for Opto 22 SoftPAC Project Data Forgery Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/218475	Trust: 0.6
title:	Opto 22 SoftPAC Project Repair measures for data forgery problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=118761	Trust: 0.6

sources: CNVD: CNVD-2020-29561 // JVNDB: JVNDB-2020-005450 // CNNVD: CNNVD-202005-808

EXTERNAL IDS

db:	NVD	id:	CVE-2020-12046	Trust: 3.4
db:	ICS CERT	id:	ICSA-20-135-01	Trust: 2.4
db:	CNVD	id:	CNVD-2020-29561	Trust: 1.0
db:	CNNVD	id:	CNNVD-202005-808	Trust: 1.0
db:	JVN	id:	JVNVU98824176	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-005450	Trust: 0.8
db:	NSFOCUS	id:	46728	Trust: 0.6
db:	IVD	id:	B22C0495-769F-48DA-9EF6-5618146B0740	Trust: 0.2
db:	IVD	id:	782AFA90-DDC4-4A9C-81B0-BAA6D02F4A98	Trust: 0.2

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-20-135-01	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12046	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12046	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu98824176/index.html	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/46728	Trust: 0.6

sources: CNVD: CNVD-2020-29561 // JVNDB: JVNDB-2020-005450 // CNNVD: CNNVD-202005-808 // NVD: CVE-2020-12046

CREDITS

Mashav Sapir of Claroty

Trust: 0.6

sources: CNNVD: CNNVD-202005-808

SOURCES

db:	IVD	id:	b22c0495-769f-48da-9ef6-5618146b0740
db:	IVD	id:	782afa90-ddc4-4a9c-81b0-baa6d02f4a98
db:	CNVD	id:	CNVD-2020-29561
db:	JVNDB	id:	JVNDB-2020-005450
db:	CNNVD	id:	CNNVD-202005-808
db:	NVD	id:	CVE-2020-12046

LAST UPDATE DATE

2024-11-23T22:05:39.068000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-29561	date:	2020-05-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-005450	date:	2020-06-15T00:00:00
db:	CNNVD	id:	CNNVD-202005-808	date:	2020-05-22T00:00:00
db:	NVD	id:	CVE-2020-12046	date:	2024-11-21T04:59:10.477

SOURCES RELEASE DATE

db:	IVD	id:	b22c0495-769f-48da-9ef6-5618146b0740	date:	2020-05-14T00:00:00
db:	IVD	id:	782afa90-ddc4-4a9c-81b0-baa6d02f4a98	date:	2020-05-14T00:00:00
db:	CNVD	id:	CNVD-2020-29561	date:	2020-05-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-005450	date:	2020-06-15T00:00:00
db:	CNNVD	id:	CNNVD-202005-808	date:	2020-05-14T00:00:00
db:	NVD	id:	CVE-2020-12046	date:	2020-05-14T21:15:13.180