Sign-up

ID

VAR-202005-1059


CVE

CVE-2020-10636


TITLE

Emerson Electric OpenEnterprise encryption problem vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-32662 // CNNVD: CNNVD-202005-948

DESCRIPTION

Inadequate encryption may allow the passwords for Emerson OpenEnterprise versions through 3.3.4 user accounts to be obtained. OpenEnterprise teeth Emerson Industrial SCADA It's software. OpenEnterprise contains the following multiple vulnerabilities: * Improper ownership management (CWE-282) - CVE-2020-10632* Inadequate cipher strength (CWE-326) - CVE-2020-10636* Lack of authentication for critical features (CWE-306) - CVE-2020-10640The potential impact will vary for each vulnerability, but you may be affected by: * Incorrect settings of access permissions for folders in the system allow a local third party to tamper with important configuration files, resulting in system failures or unexpected behavior. - CVE-2020-10632* By a local third party OpenEnterprise The password of the user account is obtained - CVE-2020-10636* A remote third party may execute arbitrary commands with system privileges or execute arbitrary code via a specific communication path. - CVE-2020-10640. Emerson Electric OpenEnterprise is a set of data acquisition and monitoring system (SCADA) mainly used for remote oil and gas applications by Emerson Electric. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided

Trust: 2.52

sources: NVD: CVE-2020-10636 // JVNDB: JVNDB-2020-004589 // CNVD: CNVD-2020-32662 // IVD: 58031b0e-70fe-4e95-a4cc-8ddb87aaefa9 // IVD: f46ecf09-7f03-43d5-ade5-b649be1b7ede

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.0

sources: IVD: 58031b0e-70fe-4e95-a4cc-8ddb87aaefa9 // IVD: f46ecf09-7f03-43d5-ade5-b649be1b7ede // CNVD: CNVD-2020-32662

AFFECTED PRODUCTS

vendor:emersonmodel:electric openenterprisescope:lteversion:<=3.3.4

Trust: 1.0

vendor:emersonmodel:openenterprise scada serverscope:lteversion:3.3.4

Trust: 1.0

vendor:エマソンmodel:openenterprise scada serverscope:eqversion:3.3.4 all previous s

Trust: 0.8

vendor:エマソンmodel:openenterprise scada serverscope:eqversion: -

Trust: 0.8

sources: IVD: 58031b0e-70fe-4e95-a4cc-8ddb87aaefa9 // IVD: f46ecf09-7f03-43d5-ade5-b649be1b7ede // CNVD: CNVD-2020-32662 // JVNDB: JVNDB-2020-004589 // NVD: CVE-2020-10636

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-10636
value: HIGH

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2020-10636
value: MEDIUM

Trust: 1.0

IPA: JVNDB-2020-004589
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-32662
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202005-948
value: HIGH

Trust: 0.6

IVD: 58031b0e-70fe-4e95-a4cc-8ddb87aaefa9
value: MEDIUM

Trust: 0.2

IVD: f46ecf09-7f03-43d5-ade5-b649be1b7ede
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2020-10636
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2020-32662
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 58031b0e-70fe-4e95-a4cc-8ddb87aaefa9
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: f46ecf09-7f03-43d5-ade5-b649be1b7ede
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2020-10636
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2020-10636
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.0
impactScore: 4.0
version: 3.1

Trust: 1.0

IPA: JVNDB-2020-004589
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: 3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 58031b0e-70fe-4e95-a4cc-8ddb87aaefa9 // IVD: f46ecf09-7f03-43d5-ade5-b649be1b7ede // CNVD: CNVD-2020-32662 // JVNDB: JVNDB-2020-004589 // CNNVD: CNNVD-202005-948 // NVD: CVE-2020-10636 // NVD: CVE-2020-10636

PROBLEMTYPE DATA

problemtype:CWE-326

Trust: 1.0

problemtype:Lack of authentication for critical features (CWE-306) [NVD evaluation ]

Trust: 0.8

problemtype: others (CWE-Other) [NVD evaluation ]

Trust: 0.8

problemtype: Inappropriate cryptographic strength (CWE-326) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-004589 // NVD: CVE-2020-10636

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202005-948

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-202005-948

PATCH

title:Emerson SupportNeturl:https://www3.emersonprocess.com/remote/support/v3/main.html

Trust: 0.8

title:Patch for Emerson Electric OpenEnterprise encryption problem vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/221347

Trust: 0.6

title:Emerson Electric OpenEnterprise Fixes for encryption problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=119021

Trust: 0.6

sources: CNVD: CNVD-2020-32662 // JVNDB: JVNDB-2020-004589 // CNNVD: CNNVD-202005-948

EXTERNAL IDS

db:NVDid:CVE-2020-10636

Trust: 4.2

db:ICS CERTid:ICSA-20-140-02

Trust: 3.0

db:CNVDid:CNVD-2020-32662

Trust: 1.0

db:CNNVDid:CNNVD-202005-948

Trust: 1.0

db:JVNid:JVNVU92838573

Trust: 0.8

db:JVNDBid:JVNDB-2020-004589

Trust: 0.8

db:NSFOCUSid:46742

Trust: 0.6

db:IVDid:58031B0E-70FE-4E95-A4CC-8DDB87AAEFA9

Trust: 0.2

db:IVDid:F46ECF09-7F03-43D5-ADE5-B649BE1B7EDE

Trust: 0.2

sources: IVD: 58031b0e-70fe-4e95-a4cc-8ddb87aaefa9 // IVD: f46ecf09-7f03-43d5-ade5-b649be1b7ede // CNVD: CNVD-2020-32662 // JVNDB: JVNDB-2020-004589 // CNNVD: CNNVD-202005-948 // NVD: CVE-2020-10636

REFERENCES

url:https://www.us-cert.gov/ics/advisories/icsa-20-140-02

Trust: 2.0

url:https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02

Trust: 1.6

url:http://jvn.jp/cert/jvnvu92838573

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-10632

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-10636

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-10640

Trust: 0.8

url:http://www.nsfocus.net/vulndb/46742

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2020-10636/

Trust: 0.6

sources: CNVD: CNVD-2020-32662 // JVNDB: JVNDB-2020-004589 // CNNVD: CNNVD-202005-948 // NVD: CVE-2020-10636

CREDITS

Roman Lozko of Kaspersky

Trust: 0.6

sources: CNNVD: CNNVD-202005-948

SOURCES

db:IVDid:58031b0e-70fe-4e95-a4cc-8ddb87aaefa9
db:IVDid:f46ecf09-7f03-43d5-ade5-b649be1b7ede
db:CNVDid:CNVD-2020-32662
db:JVNDBid:JVNDB-2020-004589
db:CNNVDid:CNNVD-202005-948
db:NVDid:CVE-2020-10636

LAST UPDATE DATE

2024-08-14T14:44:50.054000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-32662date:2020-06-12T00:00:00
db:JVNDBid:JVNDB-2020-004589date:2024-06-20T09:12:00
db:CNNVDid:CNNVD-202005-948date:2022-03-08T00:00:00
db:NVDid:CVE-2020-10636date:2022-03-07T20:04:32.380

SOURCES RELEASE DATE

db:IVDid:58031b0e-70fe-4e95-a4cc-8ddb87aaefa9date:2020-05-19T00:00:00
db:IVDid:f46ecf09-7f03-43d5-ade5-b649be1b7ededate:2020-05-19T00:00:00
db:CNVDid:CNVD-2020-32662date:2020-06-12T00:00:00
db:JVNDBid:JVNDB-2020-004589date:2020-05-21T00:00:00
db:CNNVDid:CNNVD-202005-948date:2020-05-19T00:00:00
db:NVDid:CVE-2020-10636date:2022-02-24T19:15:08.653