Details of VAR-202005-1061

ID

VAR-202005-1061

CVE

CVE-2020-10640

TITLE

Emerson Made OpenEnterprise Multiple vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-004589

DESCRIPTION

Emerson OpenEnterprise versions through 3.3.4 may allow an attacker to run an arbitrary commands with system privileges or perform remote code execution via a specific communication service. OpenEnterprise teeth Emerson Industrial SCADA It's software. OpenEnterprise contains the following multiple vulnerabilities: * Improper ownership management (CWE-282) - CVE-2020-10632* Inadequate cipher strength (CWE-326) - CVE-2020-10636* Lack of authentication for critical features (CWE-306) - CVE-2020-10640The potential impact will vary for each vulnerability, but you may be affected by: * Incorrect settings of access permissions for folders in the system allow a local third party to tamper with important configuration files, resulting in system failures or unexpected behavior. - CVE-2020-10640. Emerson Electric OpenEnterprise is a set of data acquisition and monitoring system (SCADA) mainly used for remote oil and gas applications by Emerson Electric. Emerson Electric OpenEnterprise 3.3.4 and previous versions have security vulnerabilities. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided

Trust: 2.52

sources: NVD: CVE-2020-10640 // JVNDB: JVNDB-2020-004589 // CNVD: CNVD-2020-32664 // IVD: f79ad928-818e-44cd-b31c-fa78af6f0c02 // IVD: 86b065f4-46de-48ab-a901-1f7fa2d71b16

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.0

sources: IVD: f79ad928-818e-44cd-b31c-fa78af6f0c02 // IVD: 86b065f4-46de-48ab-a901-1f7fa2d71b16 // CNVD: CNVD-2020-32664

AFFECTED PRODUCTS

vendor:	emerson	model:	electric openenterprise	scope:	lte	version:	<=3.3.4	Trust: 1.0
vendor:	emerson	model:	openenterprise scada server	scope:	lte	version:	3.3.4	Trust: 1.0
vendor:	エマソン	model:	openenterprise scada server	scope:	eq	version:	3.3.4 all previous s	Trust: 0.8
vendor:	エマソン	model:	openenterprise scada server	scope:	eq	version:	-	Trust: 0.8

sources: IVD: f79ad928-818e-44cd-b31c-fa78af6f0c02 // IVD: 86b065f4-46de-48ab-a901-1f7fa2d71b16 // CNVD: CNVD-2020-32664 // JVNDB: JVNDB-2020-004589 // NVD: CVE-2020-10640

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-10640
value:	CRITICAL
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2020-10640
value:	CRITICAL
Trust: 1.0
IPA:	JVNDB-2020-004589
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2020-32664
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202005-959
value:	CRITICAL
Trust: 0.6
IVD:	f79ad928-818e-44cd-b31c-fa78af6f0c02
value:	HIGH
Trust: 0.2
IVD:	86b065f4-46de-48ab-a901-1f7fa2d71b16
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2020-10640
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2020-32664
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	f79ad928-818e-44cd-b31c-fa78af6f0c02
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	86b065f4-46de-48ab-a901-1f7fa2d71b16
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2020-10640
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2020-10640
baseSeverity:	CRITICAL
baseScore:	10.0
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	6.0
version:	3.1
Trust: 1.0
IPA:	JVNDB-2020-004589
baseSeverity:	CRITICAL
baseScore:	10.0
vectorString:	3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: f79ad928-818e-44cd-b31c-fa78af6f0c02 // IVD: 86b065f4-46de-48ab-a901-1f7fa2d71b16 // CNVD: CNVD-2020-32664 // JVNDB: JVNDB-2020-004589 // CNNVD: CNNVD-202005-959 // NVD: CVE-2020-10640 // NVD: CVE-2020-10640

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.0
problemtype:	Lack of authentication for critical features (CWE-306) [NVD evaluation ]	Trust: 0.8
problemtype:	others (CWE-Other) [NVD evaluation ]	Trust: 0.8
problemtype:	Inappropriate cryptographic strength (CWE-326) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-004589 // NVD: CVE-2020-10640

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202005-959

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202005-959

PATCH

title:	Emerson SupportNet	url:	https://www3.emersonprocess.com/remote/support/v3/main.html	Trust: 0.8
title:	Patch for Emerson OpenEnterprise key function certification missing vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/221353	Trust: 0.6
title:	Emerson Electric OpenEnterprise Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=119031	Trust: 0.6

sources: CNVD: CNVD-2020-32664 // JVNDB: JVNDB-2020-004589 // CNNVD: CNNVD-202005-959

EXTERNAL IDS

db:	NVD	id:	CVE-2020-10640	Trust: 4.2
db:	ICS CERT	id:	ICSA-20-140-02	Trust: 3.0
db:	CNVD	id:	CNVD-2020-32664	Trust: 1.0
db:	CNNVD	id:	CNNVD-202005-959	Trust: 1.0
db:	JVN	id:	JVNVU92838573	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-004589	Trust: 0.8
db:	NSFOCUS	id:	46743	Trust: 0.6
db:	IVD	id:	F79AD928-818E-44CD-B31C-FA78AF6F0C02	Trust: 0.2
db:	IVD	id:	86B065F4-46DE-48AB-A901-1F7FA2D71B16	Trust: 0.2

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-20-140-02	Trust: 2.0
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-20-140-02	Trust: 1.6
url:	http://jvn.jp/cert/jvnvu92838573	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10632	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10636	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10640	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/46743	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2020-10640/	Trust: 0.6

sources: CNVD: CNVD-2020-32664 // JVNDB: JVNDB-2020-004589 // CNNVD: CNNVD-202005-959 // NVD: CVE-2020-10640

CREDITS

Roman Lozko of Kaspersky

Trust: 0.6

sources: CNNVD: CNNVD-202005-959

SOURCES

db:	IVD	id:	f79ad928-818e-44cd-b31c-fa78af6f0c02
db:	IVD	id:	86b065f4-46de-48ab-a901-1f7fa2d71b16
db:	CNVD	id:	CNVD-2020-32664
db:	JVNDB	id:	JVNDB-2020-004589
db:	CNNVD	id:	CNNVD-202005-959
db:	NVD	id:	CVE-2020-10640

LAST UPDATE DATE

2024-08-14T14:44:50.113000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-32664	date:	2020-06-12T00:00:00
db:	JVNDB	id:	JVNDB-2020-004589	date:	2024-06-20T09:12:00
db:	CNNVD	id:	CNNVD-202005-959	date:	2022-03-11T00:00:00
db:	NVD	id:	CVE-2020-10640	date:	2022-03-04T18:22:14.143

SOURCES RELEASE DATE

db:	IVD	id:	f79ad928-818e-44cd-b31c-fa78af6f0c02	date:	2020-05-19T00:00:00
db:	IVD	id:	86b065f4-46de-48ab-a901-1f7fa2d71b16	date:	2020-05-19T00:00:00
db:	CNVD	id:	CNVD-2020-32664	date:	2020-06-12T00:00:00
db:	JVNDB	id:	JVNDB-2020-004589	date:	2020-05-21T00:00:00
db:	CNNVD	id:	CNNVD-202005-959	date:	2020-05-19T00:00:00
db:	NVD	id:	CVE-2020-10640	date:	2022-02-24T19:15:08.707