CVE-2020-12524 (GCVE-0-2020-12524)

Vulnerability from cvelistv5 – Published: 2020-12-02 14:39 – Updated: 2024-09-17 03:58
VLAI?
Title
Phoenix Contact BTP Touch Panels uncontrolled resource consumption
Summary
Uncontrolled Resource Consumption can be exploited to cause the Phoenix Contact HMIs BTP 2043W, BTP 2070W and BTP 2102W in all versions to become unresponsive and not accurately update the display content (Denial of Service).
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
Vendor Product Version
Phoenix Contact BTP Touch Panel Affected: BTP 2043W (1050387) all versions
Affected: BTP 2070W (1046666) all versions
Affected: BTP 2102W (1046667) all versions
Create a notification for this product.
Date Public ?
2020-12-02 00:00
Credits
This vulnerability was discovered by Richard Thomas and Tom Chothia of University of Birmingham.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:56:52.092Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert.vde.com/en-us/advisories/vde-2020-047"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "BTP Touch Panel",
          "vendor": "Phoenix Contact",
          "versions": [
            {
              "status": "affected",
              "version": "BTP 2043W (1050387) all versions"
            },
            {
              "status": "affected",
              "version": "BTP 2070W (1046666) all versions"
            },
            {
              "status": "affected",
              "version": "BTP 2102W (1046667) all versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This vulnerability was discovered by Richard Thomas and Tom Chothia of University of Birmingham."
        }
      ],
      "datePublic": "2020-12-02T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Uncontrolled Resource Consumption can be exploited to cause the Phoenix Contact HMIs BTP 2043W, BTP 2070W and BTP 2102W in all versions to become unresponsive and not accurately update the display content (Denial of Service)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-02T14:39:20.000Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert.vde.com/en-us/advisories/vde-2020-047"
        }
      ],
      "source": {
        "advisory": "vde-2020-047",
        "defect": [
          "vde-2020-047"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Phoenix Contact BTP Touch Panels uncontrolled resource consumption",
      "workarounds": [
        {
          "lang": "en",
          "value": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on the recommendations for measures to protect network-capable devices, please refer to the Phoenix Contact application note: https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "",
          "ASSIGNER": "info@cert.vde.com",
          "DATE_PUBLIC": "2020-12-02T09:00:00.000Z",
          "ID": "CVE-2020-12524",
          "STATE": "PUBLIC",
          "TITLE": "Phoenix Contact BTP Touch Panels uncontrolled resource consumption"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "BTP Touch Panel",
                      "version": {
                        "version_data": [
                          {
                            "platform": "",
                            "version_affected": "=",
                            "version_name": "BTP 2043W (1050387)",
                            "version_value": "all versions"
                          },
                          {
                            "platform": "",
                            "version_affected": "=",
                            "version_name": "BTP 2070W (1046666)",
                            "version_value": "all versions"
                          },
                          {
                            "platform": "",
                            "version_affected": "=",
                            "version_name": "BTP 2102W (1046667)",
                            "version_value": "all versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Phoenix Contact"
              }
            ]
          }
        },
        "configuration": [],
        "credit": [
          {
            "lang": "eng",
            "value": "This vulnerability was discovered by Richard Thomas and Tom Chothia of University of Birmingham."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Uncontrolled Resource Consumption can be exploited to cause the Phoenix Contact HMIs BTP 2043W, BTP 2070W and BTP 2102W in all versions to become unresponsive and not accurately update the display content (Denial of Service)."
            }
          ]
        },
        "exploit": [],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400 Uncontrolled Resource Consumption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cert.vde.com/en-us/advisories/vde-2020-047",
              "refsource": "CONFIRM",
              "url": "https://cert.vde.com/en-us/advisories/vde-2020-047"
            }
          ]
        },
        "solution": [],
        "source": {
          "advisory": "vde-2020-047",
          "defect": [
            "vde-2020-047"
          ],
          "discovery": "EXTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on the recommendations for measures to protect network-capable devices, please refer to the Phoenix Contact application note: https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2020-12524",
    "datePublished": "2020-12-02T14:39:20.197Z",
    "dateReserved": "2020-04-30T00:00:00.000Z",
    "dateUpdated": "2024-09-17T03:58:57.990Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:phoenixcontact:btp_2043w_firmware:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"99086049-AA57-4E1B-8E29-C2AADAC5C46D\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:phoenixcontact:btp_2043w:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F0F6F9F0-3374-4E32-BA8E-9CA9088DFBCF\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:phoenixcontact:btp_2070w_firmware:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D2FFFA0A-C79E-4B57-BA2E-1A699CCCF8AF\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:phoenixcontact:btp_2070w:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5BCFF35F-3408-45EB-BCEF-9782159D3E24\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:phoenixcontact:btp_2102w_firmware:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B193F6D5-002F-44D3-82E5-232C32EBDE24\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:phoenixcontact:btp_2102w:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C4CEA79B-6529-4DE7-8551-6373B6E78DF0\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Uncontrolled Resource Consumption can be exploited to cause the Phoenix Contact HMIs BTP 2043W, BTP 2070W and BTP 2102W in all versions to become unresponsive and not accurately update the display content (Denial of Service).\"}, {\"lang\": \"es\", \"value\": \"Un Consumo No Controlado de Recursos puede ser explotado para causar que las HMIs Phoenix Contact versiones BTP 2043W, BTP 2070W y BTP 2102W en todas las versiones dejen de responder y no actualicen con precisi\\u00f3n el contenido de la pantalla (Denegaci\\u00f3n de Servicio)\"}]",
      "id": "CVE-2020-12524",
      "lastModified": "2024-11-21T04:59:51.967",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"info@cert.vde.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-12-02T15:15:12.173",
      "references": "[{\"url\": \"https://cert.vde.com/en-us/advisories/vde-2020-047\", \"source\": \"info@cert.vde.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://cert.vde.com/en-us/advisories/vde-2020-047\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "info@cert.vde.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"info@cert.vde.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-12524\",\"sourceIdentifier\":\"info@cert.vde.com\",\"published\":\"2020-12-02T15:15:12.173\",\"lastModified\":\"2024-11-21T04:59:51.967\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Uncontrolled Resource Consumption can be exploited to cause the Phoenix Contact HMIs BTP 2043W, BTP 2070W and BTP 2102W in all versions to become unresponsive and not accurately update the display content (Denial of Service).\"},{\"lang\":\"es\",\"value\":\"Un Consumo No Controlado de Recursos puede ser explotado para causar que las HMIs Phoenix Contact versiones BTP 2043W, BTP 2070W y BTP 2102W en todas las versiones dejen de responder y no actualicen con precisi\u00f3n el contenido de la pantalla (Denegaci\u00f3n de Servicio)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"info@cert.vde.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"info@cert.vde.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:phoenixcontact:btp_2043w_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"99086049-AA57-4E1B-8E29-C2AADAC5C46D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:phoenixcontact:btp_2043w:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F0F6F9F0-3374-4E32-BA8E-9CA9088DFBCF\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:phoenixcontact:btp_2070w_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D2FFFA0A-C79E-4B57-BA2E-1A699CCCF8AF\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:phoenixcontact:btp_2070w:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5BCFF35F-3408-45EB-BCEF-9782159D3E24\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:phoenixcontact:btp_2102w_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B193F6D5-002F-44D3-82E5-232C32EBDE24\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:phoenixcontact:btp_2102w:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C4CEA79B-6529-4DE7-8551-6373B6E78DF0\"}]}]}],\"references\":[{\"url\":\"https://cert.vde.com/en-us/advisories/vde-2020-047\",\"source\":\"info@cert.vde.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert.vde.com/en-us/advisories/vde-2020-047\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.