admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
cvelist/2020/12xxx/CVE-2020-12522.json
Jochen Becker f75eb1dc6b added 2020-12522
2020-12-17 09:16:03 +01:00

166 lines
5.2 KiB
JSON
Raw Blame History

{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
"engine": "Vulnogram 0.0.9"
},
"CVE_data_meta": {
"ID": "CVE-2020-12522",
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2020-12-17T09:00:00.000Z",
"TITLE": "Command Injection Vulnerability in I/O-Check Service of WAGO PFC100, PFC200 and Touch Panel 600 Series with firmware versions <=FW10",
"AKA": "",
"STATE": "PUBLIC"
},
"source": {
"defect": [
"VDE-2020-045"
],
"advisory": "VDE-2020-045",
"discovery": "INTERNAL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "WAGO",
"product": {
"product_data": [
{
"product_name": "Series PFC 100 (750-81xx/xxx-xxx)",
"version": {
"version_data": [
{
"version_name": "FW1",
"version_affected": "<=",
"version_value": "FW10",
"platform": ""
}
]
}
},
{
"product_name": "Series PFC 200 (750-82xx/xxx-xxx)",
"version": {
"version_data": [
{
"version_name": "FW1",
"version_affected": "<=",
"version_value": "FW10",
"platform": ""
}
]
}
},
{
"product_name": "Series Wago Touch Panel 600 Standard Line (762-4xxx)",
"version": {
"version_data": [
{
"version_name": "FW1",
"version_affected": "<=",
"version_value": "FW10",
"platform": ""
}
]
}
},
{
"product_name": "Series Wago Touch Panel 600 Advanced Line (762-5xxx)",
"version": {
"version_data": [
{
"version_name": "FW1",
"version_affected": "<=",
"version_value": "FW10",
"platform": ""
}
]
}
},
{
"product_name": "Series Wago Touch Panel 600 Marine Line (762-6xxx)",
"version": {
"version_data": [
{
"version_name": "FW1",
"version_affected": "<=",
"version_value": "FW10",
"platform": ""
}
]
}
}
]
}
}
]
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "The reported vulnerability allows an attacker who has network access to the device to execute code with specially crafted packets in WAGO Series PFC 100 (750-81xx/xxx-xxx), Series PFC 200 (750-82xx/xxx-xxx), Series Wago Touch Panel 600 Standard Line (762-4xxx), Series Wago Touch Panel 600 Advanced Line (762-5xxx), Series Wago Touch Panel 600 Marine Line (762-6xxx) with firmware versions <=FW10."
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en-us/advisories/vde-2020-045",
"name": "https://cert.vde.com/en-us/advisories/vde-2020-045"
}
]
},
"configuration": [],
"impact": {
"cvss": {
"version": "3.1",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"baseScore": 10,
"baseSeverity": "CRITICAL"
}
},
"exploit": [],
"work_around": [
{
"lang": "eng",
"value": "Disable I/O-Check service\nRestrict network access to the device.\nDo not directly connect the device to the internet."
}
],
"solution": [
{
"lang": "eng",
"value": "The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities.\n\nRegardless to the action described above, the vulnerability has been fixed in FW11, released in December 2017."
}
],
"credit": [
{
"lang": "eng",
"value": "This vulnerability was originally found by Florian Seidel of WAGO and was rediscovered by Uri Katz of Claroty. We thank CERT@VDE for the management of this coordinated disclosure."
}
]
}
Reference in New Issue View Git Blame Copy Permalink