CVE-2020-15797 (GCVE-0-2020-15797)

Vulnerability from cvelistv5 – Published: 2020-10-13 15:30 – Updated: 2024-08-04 13:30
VLAI?
Summary
A vulnerability has been identified in DCA Vantage Analyzer (All versions < V4.5 are affected by CVE-2020-7590. In addition, serial numbers < 40000 running software V4.4.0 are also affected by CVE-2020-15797). Improper Access Control could allow an unauthenticated attacker to escape from the restricted environment (“kiosk mode”) and access the underlying operating system. Successful exploitation requires direct physical access to the system.
Severity ?
No CVSS data available.
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
Siemens DCA Vantage Analyzer Affected: All versions < V4.5 are affected by CVE-2020-7590. In addition, serial numbers < 40000 running software V4.4.0 are also affected by CVE-2020-15797
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:30:21.872Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.siemens-healthineers.com/support-documentation/security-advisory"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "DCA Vantage Analyzer",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V4.5 are affected by CVE-2020-7590. In addition, serial numbers \u003c 40000 running software V4.4.0 are also affected by CVE-2020-15797"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in DCA Vantage Analyzer (All versions \u003c V4.5 are affected by CVE-2020-7590. In addition, serial numbers \u003c 40000 running software V4.4.0 are also affected by CVE-2020-15797). Improper Access Control could allow an unauthenticated attacker to escape from the restricted environment (\u201ckiosk mode\u201d) and access the underlying operating system. Successful exploitation requires direct physical access to the system."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-10-13T15:30:19.000Z",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.siemens-healthineers.com/support-documentation/security-advisory"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "productcert@siemens.com",
          "ID": "CVE-2020-15797",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "DCA Vantage Analyzer",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V4.5 are affected by CVE-2020-7590. In addition, serial numbers \u003c 40000 running software V4.4.0 are also affected by CVE-2020-15797"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Siemens"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability has been identified in DCA Vantage Analyzer (All versions \u003c V4.5 are affected by CVE-2020-7590. In addition, serial numbers \u003c 40000 running software V4.4.0 are also affected by CVE-2020-15797). Improper Access Control could allow an unauthenticated attacker to escape from the restricted environment (\u201ckiosk mode\u201d) and access the underlying operating system. Successful exploitation requires direct physical access to the system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-269: Improper Privilege Management"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.siemens-healthineers.com/support-documentation/security-advisory",
              "refsource": "MISC",
              "url": "https://www.siemens-healthineers.com/support-documentation/security-advisory"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2020-15797",
    "datePublished": "2020-10-13T15:30:19.000Z",
    "dateReserved": "2020-07-15T00:00:00.000Z",
    "dateUpdated": "2024-08-04T13:30:21.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2020-15797",
      "date": "2026-05-07",
      "epss": "0.00283",
      "percentile": "0.51667"
    },
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:siemens:dca_vantage_analyzer_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"4.5.0.0\", \"matchCriteriaId\": \"2B4F34A3-AB7B-4528-9F27-3073E25A5176\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:siemens:dca_vantage_analyzer:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EDE5221F-8629-4DC4-AD8A-93EED671469B\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability has been identified in DCA Vantage Analyzer (All versions \u003c V4.5 are affected by CVE-2020-7590. In addition, serial numbers \u003c 40000 running software V4.4.0 are also affected by CVE-2020-15797). Improper Access Control could allow an unauthenticated attacker to escape from the restricted environment (\\u201ckiosk mode\\u201d) and access the underlying operating system. Successful exploitation requires direct physical access to the system.\"}, {\"lang\": \"es\", \"value\": \"Se ha identificado una vulnerabilidad en DCA Vantage Analyzer (todas las versiones anteriores a V4.5 est\\u00e1n afectadas por CVE-2020-7590. Adem\\u00e1s, los n\\u00fameros de serial anteriores a 40000 que ejecutan el software versi\\u00f3n V4.4.0 tambi\\u00e9n est\\u00e1n afectados por CVE-2020-15797).\u0026#xa0;Un Control de Acceso Inapropiado podr\\u00eda permitir a un atacante no autenticado escapar del entorno restringido (\\u201ckiosk mode\\u201d) y acceder al sistema operativo subyacente.\u0026#xa0;Una explotaci\\u00f3n con \\u00e9xito requiere acceso f\\u00edsico directo al sistema\"}]",
      "id": "CVE-2020-15797",
      "lastModified": "2024-11-21T05:06:12.010",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"PHYSICAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:C/I:C/A:C\", \"baseScore\": 7.2, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 3.9, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-10-13T16:15:21.280",
      "references": "[{\"url\": \"https://www.siemens-healthineers.com/support-documentation/security-advisory\", \"source\": \"productcert@siemens.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.siemens-healthineers.com/support-documentation/security-advisory\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "productcert@siemens.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"productcert@siemens.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-269\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-15797\",\"sourceIdentifier\":\"productcert@siemens.com\",\"published\":\"2020-10-13T16:15:21.280\",\"lastModified\":\"2024-11-21T05:06:12.010\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability has been identified in DCA Vantage Analyzer (All versions \u003c V4.5 are affected by CVE-2020-7590. In addition, serial numbers \u003c 40000 running software V4.4.0 are also affected by CVE-2020-15797). Improper Access Control could allow an unauthenticated attacker to escape from the restricted environment (\u201ckiosk mode\u201d) and access the underlying operating system. Successful exploitation requires direct physical access to the system.\"},{\"lang\":\"es\",\"value\":\"Se ha identificado una vulnerabilidad en DCA Vantage Analyzer (todas las versiones anteriores a V4.5 est\u00e1n afectadas por CVE-2020-7590. Adem\u00e1s, los n\u00fameros de serial anteriores a 40000 que ejecutan el software versi\u00f3n V4.4.0 tambi\u00e9n est\u00e1n afectados por CVE-2020-15797).\u0026#xa0;Un Control de Acceso Inapropiado podr\u00eda permitir a un atacante no autenticado escapar del entorno restringido (\u201ckiosk mode\u201d) y acceder al sistema operativo subyacente.\u0026#xa0;Una explotaci\u00f3n con \u00e9xito requiere acceso f\u00edsico directo al sistema\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":7.2,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":3.9,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"productcert@siemens.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:dca_vantage_analyzer_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.5.0.0\",\"matchCriteriaId\":\"2B4F34A3-AB7B-4528-9F27-3073E25A5176\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:dca_vantage_analyzer:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EDE5221F-8629-4DC4-AD8A-93EED671469B\"}]}]}],\"references\":[{\"url\":\"https://www.siemens-healthineers.com/support-documentation/security-advisory\",\"source\":\"productcert@siemens.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.siemens-healthineers.com/support-documentation/security-advisory\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.