Sign-up

ID

VAR-202005-1060


CVE

CVE-2020-10632


TITLE

Emerson  Made  OpenEnterprise  Multiple vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-004589

DESCRIPTION

Inadequate folder security permissions in Emerson OpenEnterprise versions through 3.3.4 may allow modification of important configuration files, which could cause the system to fail or behave in an unpredictable manner. OpenEnterprise teeth Emerson Industrial SCADA It's software. OpenEnterprise contains the following multiple vulnerabilities: * Improper ownership management (CWE-282) - CVE-2020-10632* Inadequate cipher strength (CWE-326) - CVE-2020-10636* Lack of authentication for critical features (CWE-306) - CVE-2020-10640The potential impact will vary for each vulnerability, but you may be affected by: * Incorrect settings of access permissions for folders in the system allow a local third party to tamper with important configuration files, resulting in system failures or unexpected behavior. - CVE-2020-10632* By a local third party OpenEnterprise The password of the user account is obtained - CVE-2020-10636* A remote third party may execute arbitrary commands with system privileges or execute arbitrary code via a specific communication path. - CVE-2020-10640. Emerson Electric OpenEnterprise is a set of data acquisition and monitoring system (SCADA) mainly used for remote oil and gas applications by Emerson Electric. There is a security vulnerability in Emerson Electric OpenEnterprise 3.3.4 and earlier versions. The vulnerability results from the program setting unsafe permissions for folders. Attackers can use this vulnerability to modify important configuration files, causing system failures or anomalies. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided

Trust: 2.61

sources: NVD: CVE-2020-10632 // JVNDB: JVNDB-2020-004589 // CNVD: CNVD-2020-32663 // IVD: 21189bd7-874f-4161-b42a-d22194346b1c // IVD: 83abc14e-eb03-44cf-90b6-cea015740c6c // VULMON: CVE-2020-10632

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.0

sources: IVD: 21189bd7-874f-4161-b42a-d22194346b1c // IVD: 83abc14e-eb03-44cf-90b6-cea015740c6c // CNVD: CNVD-2020-32663

AFFECTED PRODUCTS

vendor:emersonmodel:electric openenterprisescope:lteversion:<=3.3.4

Trust: 1.0

vendor:emersonmodel:openenterprise scada serverscope:lteversion:3.3.4

Trust: 1.0

vendor:エマソンmodel:openenterprise scada serverscope:eqversion:3.3.4 all previous s

Trust: 0.8

vendor:エマソンmodel:openenterprise scada serverscope:eqversion: -

Trust: 0.8

sources: IVD: 21189bd7-874f-4161-b42a-d22194346b1c // IVD: 83abc14e-eb03-44cf-90b6-cea015740c6c // CNVD: CNVD-2020-32663 // JVNDB: JVNDB-2020-004589 // NVD: CVE-2020-10632

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-10632
value: MEDIUM

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2020-10632
value: HIGH

Trust: 1.0

NVD: CVE-2020-10632
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-32663
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202005-953
value: MEDIUM

Trust: 0.6

IVD: 21189bd7-874f-4161-b42a-d22194346b1c
value: HIGH

Trust: 0.2

IVD: 83abc14e-eb03-44cf-90b6-cea015740c6c
value: HIGH

Trust: 0.2

VULMON: CVE-2020-10632
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-10632
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2020-32663
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 21189bd7-874f-4161-b42a-d22194346b1c
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: 83abc14e-eb03-44cf-90b6-cea015740c6c
severity: MEDIUM
baseScore: 5.8
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2020-10632
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2020-10632
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.0
impactScore: 6.0
version: 3.1

Trust: 1.0

IPA: JVNDB-2020-004589
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 21189bd7-874f-4161-b42a-d22194346b1c // IVD: 83abc14e-eb03-44cf-90b6-cea015740c6c // CNVD: CNVD-2020-32663 // VULMON: CVE-2020-10632 // JVNDB: JVNDB-2020-004589 // CNNVD: CNNVD-202005-953 // NVD: CVE-2020-10632 // NVD: CVE-2020-10632

PROBLEMTYPE DATA

problemtype:CWE-282

Trust: 1.0

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:Lack of authentication for critical features (CWE-306) [NVD evaluation ]

Trust: 0.8

problemtype: others (CWE-Other) [NVD evaluation ]

Trust: 0.8

problemtype: Inappropriate cryptographic strength (CWE-326) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-004589 // NVD: CVE-2020-10632

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202005-953

TYPE

other

Trust: 1.0

sources: IVD: 21189bd7-874f-4161-b42a-d22194346b1c // IVD: 83abc14e-eb03-44cf-90b6-cea015740c6c // CNNVD: CNNVD-202005-953

PATCH

title:Emerson SupportNeturl:https://www3.emersonprocess.com/remote/support/v3/main.html

Trust: 0.8

title:Patch for Emerson OpenEnterprise Rights Management Improper Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/221349

Trust: 0.6

title:Emerson Electric OpenEnterprise Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=119025

Trust: 0.6

sources: CNVD: CNVD-2020-32663 // JVNDB: JVNDB-2020-004589 // CNNVD: CNNVD-202005-953

EXTERNAL IDS

db:NVDid:CVE-2020-10632

Trust: 4.3

db:ICS CERTid:ICSA-20-140-02

Trust: 3.1

db:CNVDid:CNVD-2020-32663

Trust: 1.0

db:CNNVDid:CNNVD-202005-953

Trust: 1.0

db:JVNid:JVNVU92838573

Trust: 0.8

db:JVNDBid:JVNDB-2020-004589

Trust: 0.8

db:NSFOCUSid:46744

Trust: 0.6

db:IVDid:21189BD7-874F-4161-B42A-D22194346B1C

Trust: 0.2

db:IVDid:83ABC14E-EB03-44CF-90B6-CEA015740C6C

Trust: 0.2

db:VULMONid:CVE-2020-10632

Trust: 0.1

sources: IVD: 21189bd7-874f-4161-b42a-d22194346b1c // IVD: 83abc14e-eb03-44cf-90b6-cea015740c6c // CNVD: CNVD-2020-32663 // VULMON: CVE-2020-10632 // JVNDB: JVNDB-2020-004589 // CNNVD: CNNVD-202005-953 // NVD: CVE-2020-10632

REFERENCES

url:https://www.us-cert.gov/ics/advisories/icsa-20-140-02

Trust: 2.0

url:https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02

Trust: 1.7

url:http://jvn.jp/cert/jvnvu92838573

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-10632

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-10636

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-10640

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2020-10632/

Trust: 0.6

url:http://www.nsfocus.net/vulndb/46744

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2020-32663 // VULMON: CVE-2020-10632 // JVNDB: JVNDB-2020-004589 // CNNVD: CNNVD-202005-953 // NVD: CVE-2020-10632

CREDITS

Roman Lozko of Kaspersky

Trust: 0.6

sources: CNNVD: CNNVD-202005-953

SOURCES

db:IVDid:21189bd7-874f-4161-b42a-d22194346b1c
db:IVDid:83abc14e-eb03-44cf-90b6-cea015740c6c
db:CNVDid:CNVD-2020-32663
db:VULMONid:CVE-2020-10632
db:JVNDBid:JVNDB-2020-004589
db:CNNVDid:CNNVD-202005-953
db:NVDid:CVE-2020-10632

LAST UPDATE DATE

2024-08-14T14:44:50.176000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-32663date:2020-06-12T00:00:00
db:VULMONid:CVE-2020-10632date:2022-03-07T00:00:00
db:JVNDBid:JVNDB-2020-004589date:2024-06-20T09:12:00
db:CNNVDid:CNNVD-202005-953date:2022-03-10T00:00:00
db:NVDid:CVE-2020-10632date:2022-03-07T19:58:14.080

SOURCES RELEASE DATE

db:IVDid:21189bd7-874f-4161-b42a-d22194346b1cdate:2020-05-19T00:00:00
db:IVDid:83abc14e-eb03-44cf-90b6-cea015740c6cdate:2020-05-19T00:00:00
db:CNVDid:CNVD-2020-32663date:2020-06-12T00:00:00
db:VULMONid:CVE-2020-10632date:2022-02-24T00:00:00
db:JVNDBid:JVNDB-2020-004589date:2020-05-21T00:00:00
db:CNNVDid:CNNVD-202005-953date:2020-05-19T00:00:00
db:NVDid:CVE-2020-10632date:2022-02-24T19:15:08.543