{"containers": {"cna": {"affected": [{"product": "zephyr", "vendor": "zephyrproject-rtos", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "2.1.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "NCC Group for report"}], "datePublic": "2020-05-01T00:00:00", "descriptions": [{"lang": "en", "value": "The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking. See NCC-ZEP-018 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-05T17:37:37", "orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-36"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24954"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24999"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24997"}, {"tags": ["x_refsource_MISC"], "url": "https://docs.zephyrproject.org/latest/security/vulnerabilities.html#cve-2020-10059"}], "source": {"defect": ["https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-36"], "discovery": "EXTERNAL"}, "title": "UpdateHub Module Explicitly Disables TLS Verification", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilities@zephyrproject.org", "DATE_PUBLIC": "2020-05-01T00:00:00.000Z", "ID": "CVE-2020-10059", "STATE": "PUBLIC", "TITLE": "UpdateHub Module Explicitly Disables TLS Verification"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "zephyr", "version": {"version_data": [{"version_affected": ">=", "version_value": "2.1.0"}]}}]}, "vendor_name": "zephyrproject-rtos"}]}}, "credit": [{"lang": "eng", "value": "NCC Group for report"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking. See NCC-ZEP-018 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-295 Improper Certificate Validation"}]}]}, "references": {"reference_data": [{"name": "https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-36", "refsource": "MISC", "url": "https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-36"}, {"name": "https://github.com/zephyrproject-rtos/zephyr/pull/24954", "refsource": "MISC", "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24954"}, {"name": "https://github.com/zephyrproject-rtos/zephyr/pull/24999", "refsource": "MISC", "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24999"}, {"name": "https://github.com/zephyrproject-rtos/zephyr/pull/24997", "refsource": "MISC", "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24997"}, {"name": "https://docs.zephyrproject.org/latest/security/vulnerabilities.html#cve-2020-10059", "refsource": "MISC", "url": "https://docs.zephyrproject.org/latest/security/vulnerabilities.html#cve-2020-10059"}]}, "source": {"defect": ["https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-36"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:50:57.794Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-36"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24954"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24999"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24997"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.zephyrproject.org/latest/security/vulnerabilities.html#cve-2020-10059"}]}]}, "cveMetadata": {"assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "assignerShortName": "zephyr", "cveId": "CVE-2020-10059", "datePublished": "2020-05-11T22:26:16.442001Z", "dateReserved": "2020-03-04T00:00:00", "dateUpdated": "2024-09-17T02:07:14.701Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zephyrproject:zephyr:2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "EF33DD80-0286-477C-88A4-FCEC0D80F520", "vulnerable": true}, {"criteria": "cpe:2.3:o:zephyrproject:zephyr:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "677DD0A3-502D-45F1-9CC8-8DDB8F230DFC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking. See NCC-ZEP-018 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions."}, {"lang": "es", "value": "El m\u00f3dulo UpdateHub deshabilita la comprobaci\u00f3n del peer DTLS, lo que permite un ataque de tipo man in the middle. Esto es mitigado por im\u00e1genes de firmware que requieren firmas validas. Sin embargo, no existe ning\u00fan beneficio al usar DTLS sin la comprobaci\u00f3n del peer. Consulte NCC-ZEP-018. Este problema afecta a: zephyrproject-rtos zephyr versi\u00f3n 2.1.0 y versiones posteriores."}], "id": "CVE-2020-10059", "lastModified": "2024-11-21T04:54:43.450", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-11T23:15:11.973", "references": [{"source": "vulnerabilities@zephyrproject.org", "url": "https://docs.zephyrproject.org/latest/security/vulnerabilities.html#cve-2020-10059"}, {"source": "vulnerabilities@zephyrproject.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24954"}, {"source": "vulnerabilities@zephyrproject.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24997"}, {"source": "vulnerabilities@zephyrproject.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24999"}, {"source": "vulnerabilities@zephyrproject.org", "tags": ["Third Party Advisory"], "url": "https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-36"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://docs.zephyrproject.org/latest/security/vulnerabilities.html#cve-2020-10059"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24954"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24997"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zephyrproject-rtos/zephyr/pull/24999"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-36"}], "sourceIdentifier": "vulnerabilities@zephyrproject.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}