CVE-2020-12524 - OpenCVE

Uncontrolled Resource Consumption can be exploited to cause the Phoenix Contact HMIs BTP 2043W, BTP 2070W and BTP 2102W in all versions to become unresponsive and not accurately update the display content (Denial of Service).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Phoenixcontact	Btp 2043w Btp 2043w Firmware Btp 2070w Btp 2070w Firmware Btp 2102w Btp 2102w Firmware

Configuration 1 [-]

AND

cpe:2.3:o:phoenixcontact:btp_2043w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:btp_2043w:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:phoenixcontact:btp_2070w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:btp_2070w:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:phoenixcontact:btp_2102w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:btp_2102w:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cert.vde.com/en-us/advisories/vde-2020-047

History

Tue, 17 Sep 2024 04:15:00 +0000

Type	Values Removed	Values Added
Title	Phoenix Contact BTP Touch Panels uncontrolled resource consumption	Phoenix Contact BTP Touch Panels uncontrolled resource consumption

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2020-12-02T14:39:20.197008Z

Updated: 2024-09-17T03:58:57.990Z

Reserved: 2020-04-30T00:00:00

Link: CVE-2020-12524

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-12-02T15:15:12.173

Modified: 2020-12-04T21:45:07.247

Link: CVE-2020-12524

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "BTP Touch Panel", "vendor": "Phoenix Contact", "versions": [{"status": "affected", "version": "BTP 2043W (1050387) all versions"}, {"status": "affected", "version": "BTP 2070W (1046666) all versions"}, {"status": "affected", "version": "BTP 2102W (1046667) all versions"}]}], "credits": [{"lang": "en", "value": "This vulnerability was discovered by Richard Thomas and Tom Chothia of University of Birmingham."}], "datePublic": "2020-12-02T00:00:00", "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption can be exploited to cause the Phoenix Contact HMIs BTP 2043W, BTP 2070W and BTP 2102W in all versions to become unresponsive and not accurately update the display content (Denial of Service)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-02T14:39:20", "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://cert.vde.com/en-us/advisories/vde-2020-047"}], "source": {"advisory": "vde-2020-047", "defect": ["vde-2020-047"], "discovery": "EXTERNAL"}, "title": "Phoenix Contact BTP Touch Panels uncontrolled resource consumption", "workarounds": [{"lang": "en", "value": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on the recommendations for measures to protect network-capable devices, please refer to the Phoenix Contact application note: https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "info@cert.vde.com", "DATE_PUBLIC": "2020-12-02T09:00:00.000Z", "ID": "CVE-2020-12524", "STATE": "PUBLIC", "TITLE": "Phoenix Contact BTP Touch Panels uncontrolled resource consumption"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BTP Touch Panel", "version": {"version_data": [{"platform": "", "version_affected": "=", "version_name": "BTP 2043W (1050387)", "version_value": "all versions"}, {"platform": "", "version_affected": "=", "version_name": "BTP 2070W (1046666)", "version_value": "all versions"}, {"platform": "", "version_affected": "=", "version_name": "BTP 2102W (1046667)", "version_value": "all versions"}]}}]}, "vendor_name": "Phoenix Contact"}]}}, "configuration": [], "credit": [{"lang": "eng", "value": "This vulnerability was discovered by Richard Thomas and Tom Chothia of University of Birmingham."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Uncontrolled Resource Consumption can be exploited to cause the Phoenix Contact HMIs BTP 2043W, BTP 2070W and BTP 2102W in all versions to become unresponsive and not accurately update the display content (Denial of Service)."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://cert.vde.com/en-us/advisories/vde-2020-047", "refsource": "CONFIRM", "url": "https://cert.vde.com/en-us/advisories/vde-2020-047"}]}, "solution": [], "source": {"advisory": "vde-2020-047", "defect": ["vde-2020-047"], "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on the recommendations for measures to protect network-capable devices, please refer to the Phoenix Contact application note: https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf"}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:56:52.092Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert.vde.com/en-us/advisories/vde-2020-047"}]}]}, "cveMetadata": {"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "assignerShortName": "CERTVDE", "cveId": "CVE-2020-12524", "datePublished": "2020-12-02T14:39:20.197008Z", "dateReserved": "2020-04-30T00:00:00", "dateUpdated": "2024-09-17T03:58:57.990Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:btp_2043w_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "99086049-AA57-4E1B-8E29-C2AADAC5C46D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:btp_2043w:-:*:*:*:*:*:*:*", "matchCriteriaId": "F0F6F9F0-3374-4E32-BA8E-9CA9088DFBCF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:btp_2070w_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2FFFA0A-C79E-4B57-BA2E-1A699CCCF8AF", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:btp_2070w:-:*:*:*:*:*:*:*", "matchCriteriaId": "5BCFF35F-3408-45EB-BCEF-9782159D3E24", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:btp_2102w_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B193F6D5-002F-44D3-82E5-232C32EBDE24", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:btp_2102w:-:*:*:*:*:*:*:*", "matchCriteriaId": "C4CEA79B-6529-4DE7-8551-6373B6E78DF0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption can be exploited to cause the Phoenix Contact HMIs BTP 2043W, BTP 2070W and BTP 2102W in all versions to become unresponsive and not accurately update the display content (Denial of Service)."}, {"lang": "es", "value": "Un Consumo No Controlado de Recursos puede ser explotado para causar que las HMIs Phoenix Contact versiones BTP 2043W, BTP 2070W y BTP 2102W en todas las versiones dejen de responder y no actualicen con precisi\u00f3n el contenido de la pantalla (Denegaci\u00f3n de Servicio)"}], "id": "CVE-2020-12524", "lastModified": "2020-12-04T21:45:07.247", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "info@cert.vde.com", "type": "Secondary"}]}, "published": "2020-12-02T15:15:12.173", "references": [{"source": "info@cert.vde.com", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/en-us/advisories/vde-2020-047"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "info@cert.vde.com", "type": "Secondary"}]}