Sign-up

ID

VAR-202007-0032


CVE

CVE-2020-10609


TITLE

Grundfos Made CIM 500 Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-006476

DESCRIPTION

Grundfos CIM 500 v06.16.00 stores plaintext credentials, which may allow sensitive information to be read or allow modification to system settings by someone with access to the device. Grundfos Provided by the company CIM 500 Is Grundfos This is an expansion module that enables data communication using Ethernet in the equipment manufactured by the manufacturer. CIM 500 The following multiple vulnerabilities exist in. * Lack of authentication for important features (CWE-306) - CVE-2020-10605 * Plaintext storage of authentication information (CWE-256) - CVE-2020-10609The expected impact depends on each vulnerability, but it may be affected as follows. * A remote third party accesses the file containing the password - CVE-2020-10605 * Since the authentication information is stored in plain text in the product, a third party who can access the product can steal sensitive information or change system settings. - CVE-2020-10609. Grundfos CIM 500 is an Ethernet module of Danish Grundfos company. There was a security vulnerability in Grundfos CIM 500 v06.16.00 before version, which was caused by the program storing credentials in clear text. Attackers can use this vulnerability to read sensitive information or modify system configuration

Trust: 2.16

sources: NVD: CVE-2020-10609 // JVNDB: JVNDB-2020-006476 // CNVD: CNVD-2020-38412

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-38412

AFFECTED PRODUCTS

vendor:grundfosmodel:cim 500scope:eqversion:06.16.00

Trust: 1.0

vendor:grundfosmodel:cim 500scope:eqversion:v06.16.00

Trust: 0.8

vendor:grundfosmodel:cimscope:eqversion:500<06.16.00

Trust: 0.6

sources: CNVD: CNVD-2020-38412 // JVNDB: JVNDB-2020-006476 // NVD: CVE-2020-10609

CVSS

SEVERITY

CVSSV2

CVSSV3

IPA: JVNDB-2020-006476
value: HIGH

Trust: 1.6

nvd@nist.gov: CVE-2020-10609
value: HIGH

Trust: 1.0

CNVD: CNVD-2020-38412
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202007-355
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2020-10609
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2020-38412
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-10609
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

IPA score: JVNDB-2020-006476
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

IPA score: JVNDB-2020-006476
baseSeverity: HIGH
baseScore: 7.5
vectorString: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-38412 // JVNDB: JVNDB-2020-006476 // JVNDB: JVNDB-2020-006476 // CNNVD: CNNVD-202007-355 // NVD: CVE-2020-10609

PROBLEMTYPE DATA

problemtype:CWE-256

Trust: 1.8

problemtype:CWE-522

Trust: 1.0

problemtype:CWE-306

Trust: 0.8

sources: JVNDB: JVNDB-2020-006476 // NVD: CVE-2020-10609

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-355

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202007-355

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-006476

PATCH
title:CIM 500url:https://product-selection.grundfos.com/sg/products/service-partkit/cim-500-98765358
Trust: 0.8
title:Patch for Grundfos CIM 500 Unprotected Credential Storage Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/225333
Trust: 0.6
title:Grundfos CIM 500 Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=123257
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-38412 // 
            
            
            
            JVNDB: JVNDB-2020-006476 // 
            
            
            
            CNNVD: CNNVD-202007-355

EXTERNAL IDS
db:NVDid:CVE-2020-10609
Trust: 3.0
db:ICS CERTid:ICSA-20-189-01
Trust: 3.0
db:JVNid:JVNVU91070438
Trust: 0.8
db:JVNDBid:JVNDB-2020-006476
Trust: 0.8
db:CNVDid:CNVD-2020-38412
Trust: 0.6
db:AUSCERTid:ESB-2020.2311
Trust: 0.6
db:NSFOCUSid:47976
Trust: 0.6
db:CNNVDid:CNNVD-202007-355
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-38412 // 
            
            
            
            JVNDB: JVNDB-2020-006476 // 
            
            
            
            CNNVD: CNNVD-202007-355 // 
            
            
            
            NVD: CVE-2020-10609

REFERENCES
url:https://us-cert.cisa.gov/ics/advisories/icsa-20-189-01
Trust: 3.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10605
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10609
Trust: 0.8
url:https://jvn.jp/vu/jvnvu91070438/
Trust: 0.8
url:http://www.nsfocus.net/vulndb/47976
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.2311/
Trust: 0.6
url:https://nvd.nist.gov/vuln/detail/cve-2020-10609
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-38412 // 
            
            
            
            JVNDB: JVNDB-2020-006476 // 
            
            
            
            CNNVD: CNNVD-202007-355 // 
            
            
            
            NVD: CVE-2020-10609

CREDITS
Marcin Dudek from CERT.PL
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202007-355

SOURCES
db:CNVDid:CNVD-2020-38412
db:JVNDBid:JVNDB-2020-006476
db:CNNVDid:CNNVD-202007-355
db:NVDid:CVE-2020-10609

LAST UPDATE DATE
2024-11-23T23:04:18.619000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-38412date:2020-07-13T00:00:00
db:JVNDBid:JVNDB-2020-006476date:2020-07-09T00:00:00
db:CNNVDid:CNNVD-202007-355date:2020-08-21T00:00:00
db:NVDid:CVE-2020-10609date:2024-11-21T04:55:41.577

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-38412date:2020-07-13T00:00:00
db:JVNDBid:JVNDB-2020-006476date:2020-07-09T00:00:00
db:CNNVDid:CNNVD-202007-355date:2020-07-07T00:00:00
db:NVDid:CVE-2020-10609date:2020-07-27T19:15:13.637