Details of VAR-202102-0378

ID

VAR-202102-0378

CVE

CVE-2020-28392

TITLE

SIMARIS configuration Inappropriate Default Permission Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-015962

DESCRIPTION

A vulnerability has been identified in SIMARIS configuration (All versions < V4.0.1). During installation to default target folder, incorrect permissions are configured for the application folder and subfolders which could allow an attacker to gain persistence or potentially escalate privileges should a user with elevated credentials log onto the machine. SIMARIS configuration Is vulnerable to incorrect default permissions.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Siemens SIMARIS configuration supports the all-digital engineering process when constructing the power distribution system, from planning to cost calculation and bid preparation, and then to standard-compliant power distribution system documents. The Siemens SIMARIS configuration has security vulnerabilities. Attackers can use vulnerabilities to gain persistent or potential escalation rights

Trust: 2.16

sources: NVD: CVE-2020-28392 // JVNDB: JVNDB-2020-015962 // CNVD: CNVD-2021-12078

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-12078

AFFECTED PRODUCTS

vendor:	siemens	model:	simaris configuration	scope:	lt	version:	4.0.1	Trust: 1.0
vendor:	シーメンス	model:	simaris configuration	scope:	eq	version:	4.0.1	Trust: 0.8
vendor:	シーメンス	model:	simaris configuration	scope:	eq	version:	-	Trust: 0.8
vendor:	siemens	model:	simaris configuration	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2021-12078 // JVNDB: JVNDB-2020-015962 // NVD: CVE-2020-28392

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-28392
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-28392
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-12078
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202102-877
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-28392
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-12078
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-28392
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-28392
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-12078 // JVNDB: JVNDB-2020-015962 // CNNVD: CNNVD-202102-877 // NVD: CVE-2020-28392

PROBLEMTYPE DATA

problemtype:	CWE-276	Trust: 1.0
problemtype:	Inappropriate default permissions (CWE-276) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-015962 // NVD: CVE-2020-28392

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202102-877

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-202102-877

PATCH

title:	SSA-794542	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-794542.pdf	Trust: 0.8
title:	Patch for Siemens SIMARIS configuration insecure folder permission vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/249061	Trust: 0.6
title:	SIMARIS configuratio Fixes for permissions and access control issues vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=142230	Trust: 0.6

sources: CNVD: CNVD-2021-12078 // JVNDB: JVNDB-2020-015962 // CNNVD: CNNVD-202102-877

EXTERNAL IDS

db:	NVD	id:	CVE-2020-28392	Trust: 3.0
db:	SIEMENS	id:	SSA-794542	Trust: 2.2
db:	JVN	id:	JVNVU91083521	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-015962	Trust: 0.8
db:	CNVD	id:	CNVD-2021-12078	Trust: 0.6
db:	ICS CERT	id:	ICSA-21-040-08	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0498	Trust: 0.6
db:	CNNVD	id:	CNNVD-202102-877	Trust: 0.6

sources: CNVD: CNVD-2021-12078 // JVNDB: JVNDB-2020-015962 // CNNVD: CNNVD-202102-877 // NVD: CVE-2020-28392

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-794542.pdf	Trust: 2.2
url:	http://jvn.jp/vu/jvnvu91083521	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-28392	Trust: 0.8
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-040-08	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0498	Trust: 0.6

sources: CNVD: CNVD-2021-12078 // JVNDB: JVNDB-2020-015962 // CNNVD: CNNVD-202102-877 // NVD: CVE-2020-28392

SOURCES

db:	CNVD	id:	CNVD-2021-12078
db:	JVNDB	id:	JVNDB-2020-015962
db:	CNNVD	id:	CNNVD-202102-877
db:	NVD	id:	CVE-2020-28392

LAST UPDATE DATE

2024-11-23T20:12:23.754000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-12078	date:	2021-04-12T00:00:00
db:	JVNDB	id:	JVNDB-2020-015962	date:	2021-10-26T09:04:00
db:	CNNVD	id:	CNNVD-202102-877	date:	2021-05-13T00:00:00
db:	NVD	id:	CVE-2020-28392	date:	2024-11-21T05:22:42.610

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-12078	date:	2021-02-23T00:00:00
db:	JVNDB	id:	JVNDB-2020-015962	date:	2021-10-26T00:00:00
db:	CNNVD	id:	CNNVD-202102-877	date:	2021-02-09T00:00:00
db:	NVD	id:	CVE-2020-28392	date:	2021-02-09T18:15:42.387