CVE-2020-11617 - Vulnerability Details - OpenCVE

The RSS application on THOMSON THT741FTA 2.2.1 and Philips DTR3502BFTA DVB-T2 2.2.1 set-top boxes doesn't validate the SSL certificates of RSS servers, which allows a man-in-the-middle attacker to modify the data delivered to the client.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Philips	Dtr3502bfta Dvb-t2 Dtr3502bfta Dvb-t2 Firmware
Thomsonstb	Tht741fta Tht741fta Firmware

Configuration 1 [-]

AND

cpe:2.3:o:thomsonstb:tht741fta_firmware:2.2.1:*:*:*:*:*:*:*

cpe:2.3:h:thomsonstb:tht741fta:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:philips:dtr3502bfta_dvb-t2_firmware:2.2.1:*:*:*:*:*:*:*

cpe:2.3:h:philips:dtr3502bfta_dvb-t2:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://decoded.avast.io/vladislaviliushin/flaws-in-dvb-t2-set-top-boxes-exposed/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-08-31T14:20:55

Updated: 2024-08-04T11:35:13.201Z

Reserved: 2020-04-07T00:00:00

Link: CVE-2020-11617

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-08-31T15:15:09.963

Modified: 2024-11-21T04:58:15.440

Link: CVE-2020-11617

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The RSS application on THOMSON THT741FTA 2.2.1 and Philips DTR3502BFTA DVB-T2 2.2.1 set-top boxes doesn't validate the SSL certificates of RSS servers, which allows a man-in-the-middle attacker to modify the data delivered to the client."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-08-31T14:20:55", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://decoded.avast.io/vladislaviliushin/flaws-in-dvb-t2-set-top-boxes-exposed/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-11617", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The RSS application on THOMSON THT741FTA 2.2.1 and Philips DTR3502BFTA DVB-T2 2.2.1 set-top boxes doesn't validate the SSL certificates of RSS servers, which allows a man-in-the-middle attacker to modify the data delivered to the client."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://decoded.avast.io/vladislaviliushin/flaws-in-dvb-t2-set-top-boxes-exposed/", "refsource": "MISC", "url": "https://decoded.avast.io/vladislaviliushin/flaws-in-dvb-t2-set-top-boxes-exposed/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:35:13.201Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://decoded.avast.io/vladislaviliushin/flaws-in-dvb-t2-set-top-boxes-exposed/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-11617", "datePublished": "2020-08-31T14:20:55", "dateReserved": "2020-04-07T00:00:00", "dateUpdated": "2024-08-04T11:35:13.201Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:thomsonstb:tht741fta_firmware:2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "DB8600E3-2D1E-4CB5-9C55-B09E535440B2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:thomsonstb:tht741fta:-:*:*:*:*:*:*:*", "matchCriteriaId": "CE794551-094B-470E-99B4-93C07AB54AC5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:philips:dtr3502bfta_dvb-t2_firmware:2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "AD438BA0-0001-43F6-9881-9500FAF18547", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:philips:dtr3502bfta_dvb-t2:-:*:*:*:*:*:*:*", "matchCriteriaId": "9F6289A0-5B62-4590-A7EB-699811BE35F1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The RSS application on THOMSON THT741FTA 2.2.1 and Philips DTR3502BFTA DVB-T2 2.2.1 set-top boxes doesn't validate the SSL certificates of RSS servers, which allows a man-in-the-middle attacker to modify the data delivered to the client."}, {"lang": "es", "value": "La aplicaci\u00f3n RSS en los decodificadores THOMSON THT741FTA versi\u00f3n 2.2.1 y Philips DTR3502BFTA DVB-T2 versi\u00f3n 2.2.1, no valida los certificados SSL de los servidores RSS, permitiendo a un atacante de tipo man-in-the-middle modificar los datos entregados a el cliente"}], "id": "CVE-2020-11617", "lastModified": "2024-11-21T04:58:15.440", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-31T15:15:09.963", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://decoded.avast.io/vladislaviliushin/flaws-in-dvb-t2-set-top-boxes-exposed/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://decoded.avast.io/vladislaviliushin/flaws-in-dvb-t2-set-top-boxes-exposed/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}