Sign-up

ID

VAR-202007-0029


CVE

CVE-2020-10605


TITLE

Grundfos CIM 500 access control error vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-38413 // CNNVD: CNNVD-202007-357

DESCRIPTION

Grundfos CIM 500 before v06.16.00 responds to unauthenticated requests for password storage files. Grundfos Provided by the company CIM 500 Is Grundfos This is an expansion module that enables data communication using Ethernet in the equipment manufactured by the manufacturer. CIM 500 The following multiple vulnerabilities exist in. * Lack of authentication for important features (CWE-306) - CVE-2020-10605 * Plaintext storage of authentication information (CWE-256) - CVE-2020-10609The expected impact depends on each vulnerability, but it may be affected as follows. * A remote third party accesses the file containing the password - CVE-2020-10605 * Since the authentication information is stored in plain text in the product, a third party who can access the product can steal sensitive information or change system settings. - CVE-2020-10609. Grundfos CIM 500 is an Ethernet module of Danish Grundfos company. There is an access control error vulnerability in versions prior to Grundfos CIM 500 v06.16.00

Trust: 2.16

sources: NVD: CVE-2020-10605 // JVNDB: JVNDB-2020-006476 // CNVD: CNVD-2020-38413

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-38413

AFFECTED PRODUCTS

vendor:grundfosmodel:cim 500scope:ltversion:06.16.00

Trust: 1.0

vendor:grundfosmodel:cim 500scope:eqversion:v06.16.00

Trust: 0.8

vendor:grundfosmodel:cimscope:eqversion:500<06.16.00

Trust: 0.6

sources: CNVD: CNVD-2020-38413 // JVNDB: JVNDB-2020-006476 // NVD: CVE-2020-10605

CVSS

SEVERITY

CVSSV2

CVSSV3

IPA: JVNDB-2020-006476
value: HIGH

Trust: 1.6

nvd@nist.gov: CVE-2020-10605
value: HIGH

Trust: 1.0

CNVD: CNVD-2020-38413
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202007-357
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2020-10605
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2020-38413
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-10605
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

IPA score: JVNDB-2020-006476
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

IPA score: JVNDB-2020-006476
baseSeverity: HIGH
baseScore: 7.5
vectorString: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-38413 // JVNDB: JVNDB-2020-006476 // JVNDB: JVNDB-2020-006476 // CNNVD: CNNVD-202007-357 // NVD: CVE-2020-10605

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.8

problemtype:CWE-256

Trust: 0.8

sources: JVNDB: JVNDB-2020-006476 // NVD: CVE-2020-10605

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-357

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202007-357

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-006476

PATCH
title:CIM 500url:https://product-selection.grundfos.com/sg/products/service-partkit/cim-500-98765358
Trust: 0.8
title:Patch for Grundfos CIM 500 access control error vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/225331
Trust: 0.6
title:Grundfos CIM 500 Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=123259
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-38413 // 
            
            
            
            JVNDB: JVNDB-2020-006476 // 
            
            
            
            CNNVD: CNNVD-202007-357

EXTERNAL IDS
db:NVDid:CVE-2020-10605
Trust: 3.0
db:ICS CERTid:ICSA-20-189-01
Trust: 3.0
db:JVNid:JVNVU91070438
Trust: 0.8
db:JVNDBid:JVNDB-2020-006476
Trust: 0.8
db:CNVDid:CNVD-2020-38413
Trust: 0.6
db:AUSCERTid:ESB-2020.2311
Trust: 0.6
db:CNNVDid:CNNVD-202007-357
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-38413 // 
            
            
            
            JVNDB: JVNDB-2020-006476 // 
            
            
            
            CNNVD: CNNVD-202007-357 // 
            
            
            
            NVD: CVE-2020-10605

REFERENCES
url:https://us-cert.cisa.gov/ics/advisories/icsa-20-189-01
Trust: 3.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10605
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10609
Trust: 0.8
url:https://jvn.jp/vu/jvnvu91070438/
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-10605
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.2311/
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-38413 // 
            
            
            
            JVNDB: JVNDB-2020-006476 // 
            
            
            
            CNNVD: CNNVD-202007-357 // 
            
            
            
            NVD: CVE-2020-10605

CREDITS
Marcin Dudek from CERT.PL
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202007-357

SOURCES
db:CNVDid:CNVD-2020-38413
db:JVNDBid:JVNDB-2020-006476
db:CNNVDid:CNNVD-202007-357
db:NVDid:CVE-2020-10605

LAST UPDATE DATE
2024-11-23T23:04:18.649000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-38413date:2020-07-13T00:00:00
db:JVNDBid:JVNDB-2020-006476date:2020-07-09T00:00:00
db:CNNVDid:CNNVD-202007-357date:2020-07-24T00:00:00
db:NVDid:CVE-2020-10605date:2024-11-21T04:55:41.110

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-38413date:2020-07-13T00:00:00
db:JVNDBid:JVNDB-2020-006476date:2020-07-09T00:00:00
db:CNNVDid:CNNVD-202007-357date:2020-07-07T00:00:00
db:NVDid:CVE-2020-10605date:2020-07-17T22:15:11.103