CVE-2020-12017 (GCVE-0-2020-12017)

Vulnerability from cvelistv5 – Published: 2020-06-02 18:31 – Updated: 2024-08-04 11:48
VLAI?
Summary
GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device’s vulnerability in the web application could allow multiple unauthenticated attacks that could cause serious impact. The vulnerability may allow an unauthenticated attacker to execute arbitrary commands and send a request to a specific URL that could cause the device to become unresponsive. The unauthenticated attacker may change the password of the 'configuration' user account, allowing the attacker to modify the configuration of the device via the web interface using the new password. This vulnerability may also allow an unauthenticated attacker to bypass the authentication required to configure the device and reboot the system.
Severity ?
No CVSS data available.
CWE
  • CWE-306 - MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
Assigner
References
Impacted products
Vendor Product Version
n/a GE Grid Solutions Reason RT Clocks Affected: RT430, RT431, and RT434, all firmware versions prior to 08A05
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:48:58.016Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/icsa-20-154-05"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GE Grid Solutions Reason RT Clocks",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "RT430, RT431, and RT434, all firmware versions prior to 08A05"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device\u2019s vulnerability in the web application could allow multiple unauthenticated attacks that could cause serious impact. The vulnerability may allow an unauthenticated attacker to execute arbitrary commands and send a request to a specific URL that could cause the device to become unresponsive. The unauthenticated attacker may change the password of the \u0027configuration\u0027 user account, allowing the attacker to modify the configuration of the device via the web interface using the new password. This vulnerability may also allow an unauthenticated attacker to bypass the authentication required to configure the device and reboot the system."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-02T18:31:05",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.us-cert.gov/ics/advisories/icsa-20-154-05"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-12017",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "GE Grid Solutions Reason RT Clocks",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "RT430, RT431, and RT434, all firmware versions prior to 08A05"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device\u2019s vulnerability in the web application could allow multiple unauthenticated attacks that could cause serious impact. The vulnerability may allow an unauthenticated attacker to execute arbitrary commands and send a request to a specific URL that could cause the device to become unresponsive. The unauthenticated attacker may change the password of the \u0027configuration\u0027 user account, allowing the attacker to modify the configuration of the device via the web interface using the new password. This vulnerability may also allow an unauthenticated attacker to bypass the authentication required to configure the device and reboot the system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsa-20-154-05",
              "refsource": "MISC",
              "url": "https://www.us-cert.gov/ics/advisories/icsa-20-154-05"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2020-12017",
    "datePublished": "2020-06-02T18:31:05",
    "dateReserved": "2020-04-21T00:00:00",
    "dateUpdated": "2024-08-04T11:48:58.016Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ge:rt430_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"08a05\", \"matchCriteriaId\": \"DD109DE7-1C72-4778-9B9E-268F2E731018\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:ge:rt430:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0EB994D8-B52E-4375-8957-6B5F0866F5B3\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ge:rt431_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"08a05\", \"matchCriteriaId\": \"C32D1CAD-1546-4229-AC62-80E5A2E7557C\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:ge:rt431:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"366B4D1B-A8CB-4EA9-8C84-A4E3CCB4B22D\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ge:rt434_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"08a05\", \"matchCriteriaId\": \"10BC5948-A2D1-45B6-87B4-DD4524791F18\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:ge:rt434:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BCD38027-CE2E-45B0-98B2-922C64494745\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device\\u2019s vulnerability in the web application could allow multiple unauthenticated attacks that could cause serious impact. The vulnerability may allow an unauthenticated attacker to execute arbitrary commands and send a request to a specific URL that could cause the device to become unresponsive. The unauthenticated attacker may change the password of the \u0027configuration\u0027 user account, allowing the attacker to modify the configuration of the device via the web interface using the new password. This vulnerability may also allow an unauthenticated attacker to bypass the authentication required to configure the device and reboot the system.\"}, {\"lang\": \"es\", \"value\": \"GE Grid Solutions Reason RT Clocks, RT430, RT431 y RT434, todas las versiones de firmware anteriores a 08A05. La vulnerabilidad del dispositivo en la aplicaci\\u00f3n web podr\\u00eda permitir m\\u00faltiples ataques no autenticados que podr\\u00edan causar un grave impacto. La vulnerabilidad puede permitir a un atacante no autenticado ejecutar comandos arbitrarios y enviar una petici\\u00f3n hacia una URL espec\\u00edfica que podr\\u00eda causar que el dispositivo deje de responder. El atacante no autenticado puede cambiar la contrase\\u00f1a de la cuenta de usuario \\\"configuration\\\", permitiendo al atacante modificar la configuraci\\u00f3n del dispositivo por medio de la interfaz web usando la nueva contrase\\u00f1a. Esta vulnerabilidad tambi\\u00e9n puede permitir a un atacante no autenticado omitir la autenticaci\\u00f3n requerida para configurar el dispositivo y reiniciar el sistema.\"}]",
      "id": "CVE-2020-12017",
      "lastModified": "2024-11-21T04:59:07.367",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:C\", \"baseScore\": 9.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 8.5, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-06-02T19:15:11.403",
      "references": "[{\"url\": \"https://www.us-cert.gov/ics/advisories/icsa-20-154-05\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://www.us-cert.gov/ics/advisories/icsa-20-154-05\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-306\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-306\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-12017\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2020-06-02T19:15:11.403\",\"lastModified\":\"2024-11-21T04:59:07.367\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device\u2019s vulnerability in the web application could allow multiple unauthenticated attacks that could cause serious impact. The vulnerability may allow an unauthenticated attacker to execute arbitrary commands and send a request to a specific URL that could cause the device to become unresponsive. The unauthenticated attacker may change the password of the \u0027configuration\u0027 user account, allowing the attacker to modify the configuration of the device via the web interface using the new password. This vulnerability may also allow an unauthenticated attacker to bypass the authentication required to configure the device and reboot the system.\"},{\"lang\":\"es\",\"value\":\"GE Grid Solutions Reason RT Clocks, RT430, RT431 y RT434, todas las versiones de firmware anteriores a 08A05. La vulnerabilidad del dispositivo en la aplicaci\u00f3n web podr\u00eda permitir m\u00faltiples ataques no autenticados que podr\u00edan causar un grave impacto. La vulnerabilidad puede permitir a un atacante no autenticado ejecutar comandos arbitrarios y enviar una petici\u00f3n hacia una URL espec\u00edfica que podr\u00eda causar que el dispositivo deje de responder. El atacante no autenticado puede cambiar la contrase\u00f1a de la cuenta de usuario \\\"configuration\\\", permitiendo al atacante modificar la configuraci\u00f3n del dispositivo por medio de la interfaz web usando la nueva contrase\u00f1a. Esta vulnerabilidad tambi\u00e9n puede permitir a un atacante no autenticado omitir la autenticaci\u00f3n requerida para configurar el dispositivo y reiniciar el sistema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:C\",\"baseScore\":9.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":8.5,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ge:rt430_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"08a05\",\"matchCriteriaId\":\"DD109DE7-1C72-4778-9B9E-268F2E731018\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ge:rt430:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0EB994D8-B52E-4375-8957-6B5F0866F5B3\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ge:rt431_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"08a05\",\"matchCriteriaId\":\"C32D1CAD-1546-4229-AC62-80E5A2E7557C\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ge:rt431:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"366B4D1B-A8CB-4EA9-8C84-A4E3CCB4B22D\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ge:rt434_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"08a05\",\"matchCriteriaId\":\"10BC5948-A2D1-45B6-87B4-DD4524791F18\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ge:rt434:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BCD38027-CE2E-45B0-98B2-922C64494745\"}]}]}],\"references\":[{\"url\":\"https://www.us-cert.gov/ics/advisories/icsa-20-154-05\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.us-cert.gov/ics/advisories/icsa-20-154-05\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.