Details of VAR-202007-0046

ID

VAR-202007-0046

CVE

CVE-2020-10919

TITLE

C-MORE HMI EA9 In firmware Vulnerability in using weak password encryption

Trust: 0.8

sources: JVNDB: JVNDB-2020-008745

DESCRIPTION

This vulnerability allows remote attackers to disclose sensitive information on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. When transmitting passwords, the process encrypts them in a recoverable format. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-10185. C-MORE HMI EA9 There is a vulnerability in the firmware regarding the use of weak password encryption. Zero Day Initiative To this vulnerability ZDI-CAN-10185 Was numbered.Information may be obtained. C-More HMI EA9 is a human-machine interface touch panel

Trust: 2.88

sources: NVD: CVE-2020-10919 // JVNDB: JVNDB-2020-008745 // ZDI: ZDI-20-806 // CNVD: CNVD-2020-49042 // VULMON: CVE-2020-10919

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-49042

AFFECTED PRODUCTS

vendor:	automationdirect	model:	c-more hmi ea9	scope:	eq	version:	6.52	Trust: 1.8
vendor:	c more	model:	hmi ea9	scope:	-	version:	-	Trust: 0.7
vendor:	c more	model:	hmi ea9	scope:	eq	version:	6.52	Trust: 0.6

sources: ZDI: ZDI-20-806 // CNVD: CNVD-2020-49042 // JVNDB: JVNDB-2020-008745 // NVD: CVE-2020-10919

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-10919
value:	MEDIUM
Trust: 1.0
zdi-disclosures@trendmicro.com:	CVE-2020-10919
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-008745
value:	MEDIUM
Trust: 0.8
ZDI:	CVE-2020-10919
value:	MEDIUM
Trust: 0.7
CNVD:	CNVD-2020-49042
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202007-341
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2020-10919
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-10919
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	JVNDB-2020-008745
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-49042
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-10919
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	3.6
version:	3.1
Trust: 1.0
zdi-disclosures@trendmicro.com:	CVE-2020-10919
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	3.6
version:	3.0
Trust: 1.0
NVD:	JVNDB-2020-008745
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2020-10919
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	3.6
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-20-806 // CNVD: CNVD-2020-49042 // VULMON: CVE-2020-10919 // JVNDB: JVNDB-2020-008745 // CNNVD: CNNVD-202007-341 // NVD: CVE-2020-10919 // NVD: CVE-2020-10919

PROBLEMTYPE DATA

problemtype:	CWE-261	Trust: 1.8
problemtype:	CWE-326	Trust: 1.0

sources: JVNDB: JVNDB-2020-008745 // NVD: CVE-2020-10919

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-341

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-202007-341

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-008745

PATCH

title:	Top Page	url:	https://www.automationdirect.com/	Trust: 0.8
title:	Patch for C-MORE HMI EA9 encryption issue vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/232081	Trust: 0.6
title:	C-More HMI EA9 Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=123250	Trust: 0.6

sources: CNVD: CNVD-2020-49042 // JVNDB: JVNDB-2020-008745 // CNNVD: CNNVD-202007-341

EXTERNAL IDS

db:	NVD	id:	CVE-2020-10919	Trust: 3.8
db:	ZDI	id:	ZDI-20-806	Trust: 3.8
db:	JVNDB	id:	JVNDB-2020-008745	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-10185	Trust: 0.7
db:	CNVD	id:	CNVD-2020-49042	Trust: 0.6
db:	NSFOCUS	id:	47583	Trust: 0.6
db:	CNNVD	id:	CNNVD-202007-341	Trust: 0.6
db:	VULMON	id:	CVE-2020-10919	Trust: 0.1

sources: ZDI: ZDI-20-806 // CNVD: CNVD-2020-49042 // VULMON: CVE-2020-10919 // JVNDB: JVNDB-2020-008745 // CNNVD: CNNVD-202007-341 // NVD: CVE-2020-10919

REFERENCES

url:	https://www.zerodayinitiative.com/advisories/zdi-20-806/	Trust: 3.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10919	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10919	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/47583	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/261.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2020-49042 // VULMON: CVE-2020-10919 // JVNDB: JVNDB-2020-008745 // CNNVD: CNNVD-202007-341 // NVD: CVE-2020-10919

CREDITS

Ta-Lun Yen & Chizuru Toyama of TXOne IoT/ICS Security Research Labs (Trend Micro)

Trust: 0.7

sources: ZDI: ZDI-20-806

SOURCES

db:	ZDI	id:	ZDI-20-806
db:	CNVD	id:	CNVD-2020-49042
db:	VULMON	id:	CVE-2020-10919
db:	JVNDB	id:	JVNDB-2020-008745
db:	CNNVD	id:	CNNVD-202007-341
db:	NVD	id:	CVE-2020-10919

LAST UPDATE DATE

2024-11-23T21:59:10.033000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-20-806	date:	2020-10-08T00:00:00
db:	CNVD	id:	CNVD-2020-49042	date:	2020-08-28T00:00:00
db:	VULMON	id:	CVE-2020-10919	date:	2020-07-28T00:00:00
db:	JVNDB	id:	JVNDB-2020-008745	date:	2020-09-24T00:00:00
db:	CNNVD	id:	CNNVD-202007-341	date:	2022-09-28T00:00:00
db:	NVD	id:	CVE-2020-10919	date:	2024-11-21T04:56:22.183

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-20-806	date:	2020-07-07T00:00:00
db:	CNVD	id:	CNVD-2020-49042	date:	2020-08-28T00:00:00
db:	VULMON	id:	CVE-2020-10919	date:	2020-07-23T00:00:00
db:	JVNDB	id:	JVNDB-2020-008745	date:	2020-09-24T00:00:00
db:	CNNVD	id:	CNNVD-202007-341	date:	2020-07-07T00:00:00
db:	NVD	id:	CVE-2020-10919	date:	2020-07-23T16:15:12.193