Details of VAR-202009-0289

ID

VAR-202009-0289

CVE

CVE-2020-14030

TITLE

Ozeki NG SMS Gateway Untrusted Data Deserialization Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-012021

DESCRIPTION

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. It stores SMS messages in .NET serialized format on the filesystem. By generating (and writing to the disk) malicious .NET serialized files, an attacker can trick the product into deserializing them, resulting in arbitrary code execution. Ozeki NG SMS Gateway There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. The program can convert your incoming emails to SMS and send them to your mobile phone. The main functions are: (1), send and receive messages in two ways (from phone to system, from system to phone); (2), support various applications of desktop email and Webmail; (3), powerful The server supports the program and stores your SMS to send and receive these; (4), supports multiple devices, etc

Trust: 1.8

sources: NVD: CVE-2020-14030 // JVNDB: JVNDB-2020-012021 // VULHUB: VHN-166868 // VULMON: CVE-2020-14030

AFFECTED PRODUCTS

vendor:	ozeki	model:	ng sms gateway	scope:	lte	version:	4.17.6	Trust: 1.0
vendor:	ozeki	model:	ng-sms gateway	scope:	eq	version:	-	Trust: 0.8
vendor:	ozeki	model:	ng-sms gateway	scope:	lte	version:	4.17.6 until	Trust: 0.8

sources: JVNDB: JVNDB-2020-012021 // NVD: CVE-2020-14030

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-14030
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-14030
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202009-1724
value:	HIGH
Trust: 0.6
VULHUB:	VHN-166868
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2020-14030
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-14030
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-166868
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-14030
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-14030
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-166868 // VULMON: CVE-2020-14030 // JVNDB: JVNDB-2020-012021 // CNNVD: CNNVD-202009-1724 // NVD: CVE-2020-14030

PROBLEMTYPE DATA

problemtype:	CWE-502	Trust: 1.1
problemtype:	Deserialization of untrusted data (CWE-502) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-166868 // JVNDB: JVNDB-2020-012021 // NVD: CVE-2020-14030

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-1724

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202009-1724

PATCH

title:	Download Ozeki Software Products	url:	http://www.ozeki.hu/index.php?owpn=231	Trust: 0.8
title:	Ozeki NG SMS Gateway Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=129686	Trust: 0.6

sources: JVNDB: JVNDB-2020-012021 // CNNVD: CNNVD-202009-1724

EXTERNAL IDS

db:	NVD	id:	CVE-2020-14030	Trust: 2.6
db:	JVNDB	id:	JVNDB-2020-012021	Trust: 0.8
db:	CNNVD	id:	CNNVD-202009-1724	Trust: 0.6
db:	VULHUB	id:	VHN-166868	Trust: 0.1
db:	VULMON	id:	CVE-2020-14030	Trust: 0.1

sources: VULHUB: VHN-166868 // VULMON: CVE-2020-14030 // JVNDB: JVNDB-2020-012021 // CNNVD: CNNVD-202009-1724 // NVD: CVE-2020-14030

REFERENCES

url:	https://github.com/drunkenshells/disclosures/tree/master/cve-2020-14030-rce%20via%20.net%20deserialization-ozeki%20sms%20gateway	Trust: 2.6
url:	http://www.ozeki.hu/index.php?owpn=231	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14030	Trust: 1.4
url:	https://cwe.mitre.org/data/definitions/502.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-166868 // VULMON: CVE-2020-14030 // JVNDB: JVNDB-2020-012021 // CNNVD: CNNVD-202009-1724 // NVD: CVE-2020-14030

SOURCES

db:	VULHUB	id:	VHN-166868
db:	VULMON	id:	CVE-2020-14030
db:	JVNDB	id:	JVNDB-2020-012021
db:	CNNVD	id:	CNNVD-202009-1724
db:	NVD	id:	CVE-2020-14030

LAST UPDATE DATE

2024-11-23T23:11:17.950000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-166868	date:	2020-10-09T00:00:00
db:	VULMON	id:	CVE-2020-14030	date:	2020-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2020-012021	date:	2021-04-22T02:56:00
db:	CNNVD	id:	CNNVD-202009-1724	date:	2020-10-22T00:00:00
db:	NVD	id:	CVE-2020-14030	date:	2024-11-21T05:02:23.393

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-166868	date:	2020-09-30T00:00:00
db:	VULMON	id:	CVE-2020-14030	date:	2020-09-30T00:00:00
db:	JVNDB	id:	JVNDB-2020-012021	date:	2021-04-22T00:00:00
db:	CNNVD	id:	CNNVD-202009-1724	date:	2020-09-30T00:00:00
db:	NVD	id:	CVE-2020-14030	date:	2020-09-30T18:15:21.537