CVE-2020-27257 - OpenCVE

This vulnerability allows local attackers to execute arbitrary code due to the lack of proper validation of user-supplied data, which can result in a type-confusion condition in the Omron CX-One Version 4.60 and prior devices.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Omron	Cx-one Cx-position Cx-protocol Cx-server

Configuration 1 [-]

OR	cpe:2.3:a:omron:cx-one::::::::
	cpe:2.3:a:omron:cx-position::::::::
	cpe:2.3:a:omron:cx-protocol::::::::
	cpe:2.3:a:omron:cx-server::::::::

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-21-007-02
https://www.zerodayinitiative.com/advisories/ZDI-21-184/

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-02-09T14:10:19.507744Z

Updated: 2024-09-17T02:47:28.530Z

Reserved: 2020-10-19T00:00:00

Link: CVE-2020-27257

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-02-09T15:15:12.970

Modified: 2021-02-12T17:51:25.970

Link: CVE-2020-27257

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "CX-One", "vendor": "Omron", "versions": [{"lessThanOrEqual": "4.60", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "CX-Protocol", "vendor": "Omron", "versions": [{"lessThanOrEqual": "2.02", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "CX-Server", "vendor": "Omron", "versions": [{"lessThanOrEqual": "5.0.28", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "CX-Position", "vendor": "Omron", "versions": [{"lessThanOrEqual": "2.52", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-01-07T00:00:00", "descriptions": [{"lang": "en", "value": "This vulnerability allows local attackers to execute arbitrary code due to the lack of proper validation of user-supplied data, which can result in a type-confusion condition in the Omron CX-One Version 4.60 and prior devices."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-843", "description": "ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-10T18:06:13", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-007-02"}, {"tags": ["x_refsource_MISC"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-184/"}], "source": {"advisory": "ICSA-21-007-02", "discovery": "UNKNOWN"}, "title": "Omron CX-One", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-01-07T17:00:00.000Z", "ID": "CVE-2020-27257", "STATE": "PUBLIC", "TITLE": "Omron CX-One"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CX-One", "version": {"version_data": [{"version_affected": "<=", "version_value": "4.60"}]}}, {"product_name": "CX-Protocol", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.02"}]}}, {"product_name": "CX-Server", "version": {"version_data": [{"version_affected": "<=", "version_value": "5.0.28"}]}}, {"product_name": "CX-Position", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.52"}]}}]}, "vendor_name": "Omron"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This vulnerability allows local attackers to execute arbitrary code due to the lack of proper validation of user-supplied data, which can result in a type-confusion condition in the Omron CX-One Version 4.60 and prior devices."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-007-02", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-007-02"}, {"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-184/", "refsource": "MISC", "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-184/"}]}, "source": {"advisory": "ICSA-21-007-02", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:11:36.464Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-007-02"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-184/"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-27257", "datePublished": "2021-02-09T14:10:19.507744Z", "dateReserved": "2020-10-19T00:00:00", "dateUpdated": "2024-09-17T02:47:28.530Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:omron:cx-one:*:*:*:*:*:*:*:*", "matchCriteriaId": "8DDFA8C8-5BB3-4A0A-BFA8-0963C46B6DD2", "versionEndIncluding": "4.60", "vulnerable": true}, {"criteria": "cpe:2.3:a:omron:cx-position:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A75973B-C2B1-4CFC-A2A9-BFB553037BF2", "versionEndIncluding": "2.52", "vulnerable": true}, {"criteria": "cpe:2.3:a:omron:cx-protocol:*:*:*:*:*:*:*:*", "matchCriteriaId": "5E61B773-2097-4C4E-B48C-CFC7294A4C5A", "versionEndIncluding": "2.02", "vulnerable": true}, {"criteria": "cpe:2.3:a:omron:cx-server:*:*:*:*:*:*:*:*", "matchCriteriaId": "9DD31345-F164-4016-902E-DA9AD29430E4", "versionEndIncluding": "5.0.28", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "This vulnerability allows local attackers to execute arbitrary code due to the lack of proper validation of user-supplied data, which can result in a type-confusion condition in the Omron CX-One Version 4.60 and prior devices."}, {"lang": "es", "value": "Esta vulnerabilidad permite a atacantes locales ejecutar c\u00f3digo arbitrario debido a una falta de comprobaci\u00f3n apropiada de los datos suministrados por un usuario, lo que puede resultar en una condici\u00f3n de confusi\u00f3n de tipos en Omron CX-One Versi\u00f3n 4.60 y dispositivos anteriores"}], "id": "CVE-2020-27257", "lastModified": "2021-02-12T17:51:25.970", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-09T15:15:12.970", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-007-02"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-184/"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-843"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-843"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}