Details of VAR-202108-0213

ID

VAR-202108-0213

CVE

CVE-2020-35685

TITLE

NicheStack embedded TCP/IP has vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#608209

DESCRIPTION

An issue was discovered in HCC Nichestack 3.0. The code that generates Initial Sequence Numbers (ISNs) for TCP connections derives the ISN from an insufficiently random source. As a result, an attacker may be able to determine the ISN of current and future TCP connections and either hijack existing ones or spoof future ones. (Proper ISN generation should aim to follow at least the specifications outlined in RFC 6528.). HCC Embedded's software called InterNiche stack (NicheStack) and NicheLite, which provides TCP/IP networking capability to embedded systems, is impacted by multiple vulnerabilities. The Forescout and JFrog researchers who discovered this set of vulnerabilities have identified these as "INFRA:HALT"CVE-2020-25767 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_common module version 1.15. A fix for this will be available from HCC on 2021-02-19 CVE-2020-25926 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_common module version 1.15. A fix for this will be available from HCC on 2021-03-02 CVE-2020-25927 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_common module version 1.15. A fix for this will be available from HCC on 2021-02-19 CVE-2020-25928 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_common module version 1.15. A fix for this will be available from HCC on 2021-02-19 CVE-2020-35683 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_ipv4 module version 1.5. A fix for this will be available from HCC on 2021-03-02 CVE-2020-35684 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_tcp module version 1.9. A fix for this will be available from HCC on 2021-03-16 CVE-2020-35685 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_tcp module version 1.9. A fix for this will be available from HCC on 2021-03-16 CVE-2021-27565 Affected Vendor Statement: The infinite loop entered in case this occurs is really for the user to implement when integrating the software. But whatever their implementation this code should not be structured like this. CVE-2021-31226 Affected Vendor Statement: This is an issue in all versions of Nichestack <4.3, This issue is fixed in Nichestack v4.3 with in_httpsvr module v1.7. CVE-2021-31227 Affected Vendor Statement: This is an issue in all versions of Nichestack <4.3, This issue is fixed in Nichestack v4.3 with in_httpsvr module v1.7. CVE-2021-31228 Affected Vendor Statement: This is an issue in all versions of Nichestack <4.3, This issue is fixed in Nichestack v4.3 with in_httpsvr module v1.7. CVE-2021-31400 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_tcp module version 1.9. A fix for this will be available from HCC on 2021-02-26 CVE-2021-31401 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_tcp module version 1.9. A fix for this will be available from HCC on 2021-03-16 CVE-2021-36762 Unknown Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is fixed in in_tftp module version 1.2CVE-2020-25767 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_common module version 1.15. A fix for this will be available from HCC on 2021-02-19 CVE-2020-25926 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_common module version 1.15. A fix for this will be available from HCC on 2021-03-02 CVE-2020-25927 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_common module version 1.15. A fix for this will be available from HCC on 2021-02-19 CVE-2020-25928 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_common module version 1.15. A fix for this will be available from HCC on 2021-02-19 CVE-2020-35683 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_ipv4 module version 1.5. A fix for this will be available from HCC on 2021-03-02 CVE-2020-35684 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_tcp module version 1.9. A fix for this will be available from HCC on 2021-03-16 CVE-2020-35685 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_tcp module version 1.9. A fix for this will be available from HCC on 2021-03-16 CVE-2021-27565 Affected Vendor Statement: The infinite loop entered in case this occurs is really for the user to implement when integrating the software. But whatever their implementation this code should not be structured like this. CVE-2021-31226 Affected Vendor Statement: This is an issue in all versions of Nichestack <4.3, This issue is fixed in Nichestack v4.3 with in_httpsvr module v1.7. CVE-2021-31227 Affected Vendor Statement: This is an issue in all versions of Nichestack <4.3, This issue is fixed in Nichestack v4.3 with in_httpsvr module v1.7. CVE-2021-31228 Affected Vendor Statement: This is an issue in all versions of Nichestack <4.3, This issue is fixed in Nichestack v4.3 with in_httpsvr module v1.7. CVE-2021-31400 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_tcp module version 1.9. A fix for this will be available from HCC on 2021-02-26 CVE-2021-31401 Affected Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is present in the in_tcp module version 1.9. A fix for this will be available from HCC on 2021-03-16 CVE-2021-36762 Unknown Vendor Statement: This issue is present in all versions of Nichestack prior to 4.3. The global version number for Nichestack is now frozen at 4.3 and we now maintain version numbers for each module. The issue is fixed in in_tftp module version 1.2. SENTRON 3WA COM190 is an accessory module for 3WA circuit breakers, providing connections via PROFINET IO and Modbus TCP. SENTRON 3WL COM35 is an accessory module of 3WL circuit breaker, which provides connection through PROFINET IO and Modbus TCP. SENTRON 7KM PAC Switched Ethernet PROFINET Expansion Module is a plug-in device that provides switched Ethernet PROFINET V3 connections for 7KM PAC32x0/4200 and 3VA COM100/800 devices. The Siemens Interniche IP stack low-voltage equipment has security vulnerabilities. No detailed vulnerability details are currently provided. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Siemens Security Advisory

Trust: 2.79

sources: NVD: CVE-2020-35685 // CERT/CC: VU#608209 // CNVD: CNVD-2021-58799 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2020-35685

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-58799

AFFECTED PRODUCTS

vendor:	siemens	model:	sentron 3wl com35	scope:	lt	version:	1.2.0	Trust: 1.0
vendor:	hcc embedded	model:	nichestack	scope:	eq	version:	3.0	Trust: 1.0
vendor:	siemens	model:	sentron 3wa com190	scope:	lt	version:	2.0.0	Trust: 1.0
vendor:	siemens	model:	sentron 7km pac switched ethernet profinet expansion module	scope:	lt	version:	v3.0.4	Trust: 0.6
vendor:	siemens	model:	sentron 3wl com35	scope:	lt	version:	v1.2.0	Trust: 0.6
vendor:	siemens	model:	sentron 3wa com190	scope:	lt	version:	v2.0.0	Trust: 0.6

sources: CNVD: CNVD-2021-58799 // NVD: CVE-2020-35685

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-35685
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2021-58799
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-407
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2020-35685
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2021-58799
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:C/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-35685
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2021-58799 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-407 // NVD: CVE-2020-35685

PROBLEMTYPE DATA

problemtype:

CWE-330

Trust: 1.0

sources: NVD: CVE-2020-35685

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-407

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	Patch for Siemens Interniche IP stack low-voltage equipment has unspecified vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/284146	Trust: 0.6
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=dcdeae95fabde3361948ed61a281b1cb	Trust: 0.1

sources: CNVD: CNVD-2021-58799 // VULMON: CVE-2020-35685

EXTERNAL IDS

db:	NVD	id:	CVE-2020-35685	Trust: 3.1
db:	CERT/CC	id:	VU#608209	Trust: 2.4
db:	SIEMENS	id:	SSA-789208	Trust: 2.3
db:	CNVD	id:	CNVD-2021-58799	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021080402	Trust: 0.6
db:	CS-HELP	id:	SB2021080607	Trust: 0.6
db:	ICS CERT	id:	ICSA-21-217-01	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2661	Trust: 0.6
db:	CNNVD	id:	CNNVD-202108-407	Trust: 0.6
db:	VULMON	id:	CVE-2020-35685	Trust: 0.1

sources: CERT/CC: VU#608209 // CNVD: CNVD-2021-58799 // VULMON: CVE-2020-35685 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-407 // NVD: CVE-2020-35685

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-789208.pdf	Trust: 2.2
url:	https://www.kb.cert.org/vuls/id/608209	Trust: 1.6
url:	https://www.forescout.com/blog/new-critical-operational-technology-vulnerabilities-found-on-nichestack/	Trust: 1.6
url:	https://www.hcc-embedded.com	Trust: 1.6
url:	cve-2020-25767	Trust: 0.8
url:	cve-2020-25926	Trust: 0.8
url:	cve-2020-25927	Trust: 0.8
url:	cve-2020-25928	Trust: 0.8
url:	cve-2020-35683	Trust: 0.8
url:	cve-2020-35684	Trust: 0.8
url:	cve-2020-35685	Trust: 0.8
url:	cve-2021-27565	Trust: 0.8
url:	cve-2021-31226	Trust: 0.8
url:	cve-2021-31227	Trust: 0.8
url:	cve-2021-31228	Trust: 0.8
url:	cve-2021-31400	Trust: 0.8
url:	cve-2021-31401	Trust: 0.8
url:	cve-2021-36762	Trust: 0.8
url:	vince json	Trust: 0.8
url:	csaf	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2661	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021080402	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-217-01	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021080607	Trust: 0.6
url:	https://cert-portal.siemens.com/productcert/txt/ssa-789208.txt	Trust: 0.1

sources: CERT/CC: VU#608209 // CNVD: CNVD-2021-58799 // VULMON: CVE-2020-35685 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202108-407 // NVD: CVE-2020-35685

CREDITS

This document was written by Vijay Sarvepalli.Statement Date: July 20, 2021

Trust: 0.8

sources: CERT/CC: VU#608209

SOURCES

db:	CERT/CC	id:	VU#608209
db:	CNVD	id:	CNVD-2021-58799
db:	VULMON	id:	CVE-2020-35685
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202108-407
db:	NVD	id:	CVE-2020-35685

LAST UPDATE DATE

2024-08-14T12:19:27.506000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#608209	date:	2022-09-23T00:00:00
db:	CNVD	id:	CNVD-2021-58799	date:	2022-01-18T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202108-407	date:	2021-08-27T00:00:00
db:	NVD	id:	CVE-2020-35685	date:	2021-08-26T18:21:15.667

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#608209	date:	2021-08-10T00:00:00
db:	CNVD	id:	CNVD-2021-58799	date:	2021-08-05T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202108-407	date:	2021-08-04T00:00:00
db:	NVD	id:	CVE-2020-35685	date:	2021-08-19T12:15:08.217