CVE-2020-12496 - Vulnerability Details

Vendors	Products
Endress	Orsg35 Orsg35 Firmware Orsg45 Orsg45 Firmware Rsg35 Rsg35 Firmware Rsg45 Rsg45 Firmware

Source	ID	Title
EUVD	EUVD-2020-4798	Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive information to an unauthorized actor. The firmware release has a dynamic token for each request submitted to the server, which makes repeating requests and analysis complex enough. Nevertheless, it's possible and during the analysis it was discovered that it also has an issue with the access-control matrix on the server-side. It was found that a user with low rights can get information from endpoints that should not be available to this user.

Link	Providers
https://cert.vde.com/en-us/advisories/vde-2020-022

{"containers": {"cna": {"affected": [{"product": "RSG35 - Ecograph T", "vendor": "Endress+Hauser", "versions": [{"lessThan": "*", "status": "affected", "version": "V2.0.0", "versionType": "custom"}]}, {"product": "ORSG35 - Ecograph T Neutral/Private Label", "vendor": "Endress+Hauser", "versions": [{"lessThan": "*", "status": "affected", "version": "V2.0.0", "versionType": "custom"}]}, {"product": "RSG45 - Memograph M", "vendor": "Endress+Hauser", "versions": [{"lessThan": "*", "status": "affected", "version": "V2.0.0", "versionType": "custom"}]}, {"product": "ORSG45 - Memograph M Neutral/Private Label", "vendor": "Endress+Hauser", "versions": [{"lessThan": "*", "status": "affected", "version": "V2.0.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Maxim Rupp reported this vulnerability to CERT@VDE"}], "datePublic": "2020-11-19T00:00:00", "descriptions": [{"lang": "en", "value": "Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive information to an unauthorized actor. The firmware release has a dynamic token for each request submitted to the server, which makes repeating requests and analysis complex enough. Nevertheless, it's possible and during the analysis it was discovered that it also has an issue with the access-control matrix on the server-side. It was found that a user with low rights can get information from endpoints that should not be available to this user."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-19T17:07:20", "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://cert.vde.com/en-us/advisories/vde-2020-022"}], "solutions": [{"lang": "en", "value": "Endress+Hauser will not change this behavior.\nCustomers are recommended to take the measures for Temporary Fix / Mitigation as described above."}], "source": {"advisory": "VDE-2020-022", "defect": ["VDE-2020-022"], "discovery": "EXTERNAL"}, "title": "ENDRESS+HAUSER: Ecograph T utilizing Webserver firmware version 2.x exposures sensitive information to an unauthorized actor", "workarounds": [{"lang": "en", "value": "Customers should configure a perimeter firewall to block traffic from untrusted networks and users to the device. These recommendations will be incorporated into the device documentation (operating instructions)\nChange default password for operator, service and admin account."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "info@cert.vde.com", "DATE_PUBLIC": "2020-11-19T14:00:00.000Z", "ID": "CVE-2020-12496", "STATE": "PUBLIC", "TITLE": "ENDRESS+HAUSER: Ecograph T utilizing Webserver firmware version 2.x exposures sensitive information to an unauthorized actor"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "RSG35 - Ecograph T", "version": {"version_data": [{"platform": "", "version_affected": ">=", "version_name": "", "version_value": "V2.0.0"}]}}, {"product_name": "ORSG35 - Ecograph T Neutral/Private Label", "version": {"version_data": [{"platform": "", "version_affected": ">=", "version_name": "", "version_value": "V2.0.0"}]}}, {"product_name": "RSG45 - Memograph M", "version": {"version_data": [{"platform": "", "version_affected": ">=", "version_name": "", "version_value": "V2.0.0"}]}}, {"product_name": "ORSG45 - Memograph M Neutral/Private Label", "version": {"version_data": [{"platform": "", "version_affected": ">=", "version_name": "", "version_value": "V2.0.0"}]}}]}, "vendor_name": "Endress+Hauser"}]}}, "configuration": [], "credit": [{"lang": "eng", "value": "Maxim Rupp reported this vulnerability to CERT@VDE"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive information to an unauthorized actor. The firmware release has a dynamic token for each request submitted to the server, which makes repeating requests and analysis complex enough. Nevertheless, it's possible and during the analysis it was discovered that it also has an issue with the access-control matrix on the server-side. It was found that a user with low rights can get information from endpoints that should not be available to this user."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://cert.vde.com/en-us/advisories/vde-2020-022", "refsource": "CONFIRM", "url": "https://cert.vde.com/en-us/advisories/vde-2020-022"}]}, "solution": [{"lang": "en", "value": "Endress+Hauser will not change this behavior.\nCustomers are recommended to take the measures for Temporary Fix / Mitigation as described above."}], "source": {"advisory": "VDE-2020-022", "defect": ["VDE-2020-022"], "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Customers should configure a perimeter firewall to block traffic from untrusted networks and users to the device. These recommendations will be incorporated into the device documentation (operating instructions)\nChange default password for operator, service and admin account."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:56:52.113Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert.vde.com/en-us/advisories/vde-2020-022"}]}]}, "cveMetadata": {"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "assignerShortName": "CERTVDE", "cveId": "CVE-2020-12496", "datePublished": "2020-11-19T17:07:20.957900Z", "dateReserved": "2020-04-30T00:00:00", "dateUpdated": "2024-09-16T23:50:39.926Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:endress:rsg35_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "09972345-A856-4BCC-B649-EB93AEC89AB7", "versionEndExcluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:endress:rsg35:-:*:*:*:*:*:*:*", "matchCriteriaId": "2FD4C836-D775-49B1-997C-5F1BE2DA3422", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:endress:rsg45_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2917E2E-DF23-419A-B1CF-AD39A49DC535", "versionEndExcluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:endress:rsg45:-:*:*:*:*:*:*:*", "matchCriteriaId": "5BE8DDCA-3704-41B9-BE65-467DC0C832E3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:endress:orsg35_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "47846DD8-45BF-4ECD-87C7-77E9CF32689F", "versionEndExcluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:endress:orsg35:-:*:*:*:*:*:*:*", "matchCriteriaId": "BACEE257-8D0A-4EC7-9DC1-D7BFA2606717", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:endress:orsg45_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF6DB41B-E6A6-4E0B-B87E-EDD8FC9AF068", "versionEndExcluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:endress:orsg45:-:*:*:*:*:*:*:*", "matchCriteriaId": "DF859810-2537-4704-91FD-35353063C562", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive information to an unauthorized actor. The firmware release has a dynamic token for each request submitted to the server, which makes repeating requests and analysis complex enough. Nevertheless, it's possible and during the analysis it was discovered that it also has an issue with the access-control matrix on the server-side. It was found that a user with low rights can get information from endpoints that should not be available to this user."}, {"lang": "es", "value": "Endress + Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) y Memograph M (Neutral/Private Label) (RSG45, ORSG45) con la versi\u00f3n de firmware V2.0.0 y superior, es propenso a exponer informaci\u00f3n confidencial a un actor no autorizado. La versi\u00f3n de firmware posee un token din\u00e1mico para cada petici\u00f3n enviada al servidor, lo que hace que las peticiones repetidas y el an\u00e1lisis sean lo suficientemente complejos. Sin embargo, es posible y durante el an\u00e1lisis se detect\u00f3 que tambi\u00e9n tiene un problema con la matriz de control de acceso en el lado del servidor. Se encontr\u00f3 que un usuario con pocos derechos puede obtener informaci\u00f3n de los endpoints que no deber\u00eda estar disponible para este usuario"}], "id": "CVE-2020-12496", "lastModified": "2024-11-21T04:59:48.160", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "info@cert.vde.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-19T18:15:13.850", "references": [{"source": "info@cert.vde.com", "tags": ["Vendor Advisory"], "url": "https://cert.vde.com/en-us/advisories/vde-2020-022"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://cert.vde.com/en-us/advisories/vde-2020-022"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "info@cert.vde.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object