Details of VAR-202011-0859

ID

VAR-202011-0859

CVE

CVE-2020-28349

TITLE

ChirpStack Network Server Input confirmation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-013258

DESCRIPTION

An inaccurate frame deduplication process in ChirpStack Network Server 3.9.0 allows a malicious gateway to perform uplink Denial of Service via malformed frequency attributes in CollectAndCallOnceCollect in internal/uplink/collect.go. NOTE: the vendor's position is that there are no "guarantees that allowing untrusted LoRa gateways to the network should still result in a secure network. ** Unsettled ** This case has not been confirmed as a vulnerability. ChirpStack Network Server There is an input verification vulnerability in. Vendors have challenged this vulnerability. For more information, please see below NVD of Current Description Please Confirm. https://nvd.nist.gov/vuln/detail/CVE-2020-28349Denial of service (DoS) It may be put into a state. The software is applied to the wireless connection of the Internet of Things, and has the characteristics of low power consumption, long distance and high capacity. No detailed vulnerability details are currently provided

Trust: 2.7

sources: NVD: CVE-2020-28349 // JVNDB: JVNDB-2020-013258 // CNVD: CNVD-2020-64305 // CNNVD: CNNVD-202011-680

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-64305

AFFECTED PRODUCTS

vendor:	chirpstack	model:	network server	scope:	eq	version:	3.9.0	Trust: 1.6
vendor:	orne brocaar	model:	chirpstack network server	scope:	eq	version:	3.9.0	Trust: 0.8
vendor:	orne brocaar	model:	chirpstack network server	scope:	eq	version:	-	Trust: 0.8

sources: CNVD: CNVD-2020-64305 // JVNDB: JVNDB-2020-013258 // NVD: CVE-2020-28349

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-28349
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-28349
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-64305
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202011-680
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2020-28349
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-64305
severity:	HIGH
baseScore:	7.1
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-28349
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2020-28349
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-64305 // JVNDB: JVNDB-2020-013258 // CNNVD: CNNVD-202011-680 // NVD: CVE-2020-28349

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.0
problemtype:	Incorrect input confirmation (CWE-20) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-013258 // NVD: CVE-2020-28349

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202011-680

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202011-680

PATCH

title:	Improve error handling of unknown gateways. GitHub	url:	https://github.com/brocaar/chirpstack-network-server/commit/874fc1a9b01045ebe8a340f0bb01ed19e8256e60	Trust: 0.8
title:	Patch for ChirpStack Network Server Denial of Service Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/240379	Trust: 0.6
title:	ChirpStack Network Server Enter the fix for the verification error vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=134536	Trust: 0.6

sources: CNVD: CNVD-2020-64305 // JVNDB: JVNDB-2020-013258 // CNNVD: CNNVD-202011-680

EXTERNAL IDS

db:	NVD	id:	CVE-2020-28349	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-013258	Trust: 0.8
db:	CNVD	id:	CNVD-2020-64305	Trust: 0.6
db:	CNNVD	id:	CNNVD-202011-680	Trust: 0.6

sources: CNVD: CNVD-2020-64305 // JVNDB: JVNDB-2020-013258 // CNNVD: CNNVD-202011-680 // NVD: CVE-2020-28349

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-28349	Trust: 2.0
url:	https://github.com/brocaar/chirpstack-network-server/commit/874fc1a9b01045ebe8a340f0bb01ed19e8256e60	Trust: 1.6
url:	https://github.com/brocaar/chirpstack-network-server/commit/f996bb0c6c85281b5658f59ff09db1b4a73db453	Trust: 1.6
url:	https://www.cyberark.com/resources/threat-research-blog/lorawan-mqtt-what-to-know-when-securing-your-iot-network	Trust: 1.6

sources: CNVD: CNVD-2020-64305 // JVNDB: JVNDB-2020-013258 // CNNVD: CNNVD-202011-680 // NVD: CVE-2020-28349

SOURCES

db:	CNVD	id:	CNVD-2020-64305
db:	JVNDB	id:	JVNDB-2020-013258
db:	CNNVD	id:	CNNVD-202011-680
db:	NVD	id:	CVE-2020-28349

LAST UPDATE DATE

2024-11-23T23:07:46.814000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-64305	date:	2020-11-19T00:00:00
db:	JVNDB	id:	JVNDB-2020-013258	date:	2021-06-22T06:50:00
db:	CNNVD	id:	CNNVD-202011-680	date:	2020-11-24T00:00:00
db:	NVD	id:	CVE-2020-28349	date:	2024-11-21T05:22:39.030

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-64305	date:	2020-11-19T00:00:00
db:	JVNDB	id:	JVNDB-2020-013258	date:	2021-06-22T00:00:00
db:	CNNVD	id:	CNNVD-202011-680	date:	2020-11-08T00:00:00
db:	NVD	id:	CVE-2020-28349	date:	2020-11-09T01:15:13.710