CVE-2020-12030 - Vulnerability Details - OpenCVE

There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Emerson	Wireless 1410 Gateway Wireless 1410 Gateway Firmware Wireless 1420 Gateway Wireless 1420 Gateway Firmware Wireless 1552wu Gateway Wireless 1552wu Gateway Firmware

Configuration 1 [-]

AND

cpe:2.3:o:emerson:wireless_1410_gateway_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:emerson:wireless_1410_gateway:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:emerson:wireless_1420_gateway_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:emerson:wireless_1420_gateway:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:emerson:wireless_1552wu_gateway_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:emerson:wireless_1552wu_gateway:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-09-29T19:36:38

Updated: 2024-08-04T11:48:57.679Z

Reserved: 2020-04-21T00:00:00

Link: CVE-2020-12030

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-09-29T20:15:07.870

Modified: 2024-11-21T04:59:08.803

Link: CVE-2020-12030

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Wireless 1410 Gateway", "vendor": "Emerson", "versions": [{"lessThanOrEqual": "4.7.84", "status": "affected", "version": "4.6.43", "versionType": "custom"}]}, {"product": "Wireless 1420 Gateway", "vendor": "Emerson", "versions": [{"lessThanOrEqual": "4.7.84", "status": "affected", "version": "4.6.43", "versionType": "custom"}]}, {"product": "Wireless 1552WU Gateway", "vendor": "Emerson", "versions": [{"lessThanOrEqual": "4.7.84", "status": "affected", "version": "4.6.43", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Emerson discovered this vulnerability and reported it to CISA once there was a solution."}], "descriptions": [{"lang": "en", "value": "There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": " IMPROPER ACCESS CONTROL CWE-284", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-29T19:36:38", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02"}], "solutions": [{"lang": "en", "value": "Emerson recommends end users update the firmware on VLAN-enabled Version 4 gateways as soon as possible.\n\nIf the VLAN feature is not enabled, no immediate action is necessary.\nPlease see Emerson\u2019s cybersecurity notification alert number EMR.RMT20001-1 for more information."}], "source": {"discovery": "UNKNOWN"}, "title": "Emerson WirelessHART Gateway", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-12030", "STATE": "PUBLIC", "TITLE": "Emerson WirelessHART Gateway"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Wireless 1410 Gateway", "version": {"version_data": [{"version_affected": "<=", "version_name": "4.6.43", "version_value": "4.7.84"}]}}, {"product_name": "Wireless 1420 Gateway", "version": {"version_data": [{"version_affected": "<=", "version_name": "4.6.43", "version_value": "4.7.84"}]}}, {"product_name": "Wireless 1552WU Gateway", "version": {"version_data": [{"version_affected": "<=", "version_name": "4.6.43", "version_value": "4.7.84"}]}}]}, "vendor_name": "Emerson"}]}}, "credit": [{"lang": "eng", "value": "Emerson discovered this vulnerability and reported it to CISA once there was a solution."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": " IMPROPER ACCESS CONTROL CWE-284"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02"}]}, "solution": [{"lang": "en", "value": "Emerson recommends end users update the firmware on VLAN-enabled Version 4 gateways as soon as possible.\n\nIf the VLAN feature is not enabled, no immediate action is necessary.\nPlease see Emerson\u2019s cybersecurity notification alert number EMR.RMT20001-1 for more information."}], "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:48:57.679Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-12030", "datePublished": "2021-09-29T19:36:38", "dateReserved": "2020-04-21T00:00:00", "dateUpdated": "2024-08-04T11:48:57.679Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:emerson:wireless_1410_gateway_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8889B23B-B3B7-4B0C-AEB8-4B4857BA8D30", "versionEndIncluding": "4.7.84", "versionStartIncluding": "4.6.43", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:emerson:wireless_1410_gateway:-:*:*:*:*:*:*:*", "matchCriteriaId": "1DF1A7F9-86E8-4B21-9C98-2E3E0AE3BBBB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:emerson:wireless_1420_gateway_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "25464141-5AE4-48CA-8719-E2B8A170D858", "versionEndIncluding": "4.7.84", "versionStartIncluding": "4.6.43", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:emerson:wireless_1420_gateway:-:*:*:*:*:*:*:*", "matchCriteriaId": "3CEB591C-621A-49A9-BEF0-5854B06490EB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:emerson:wireless_1552wu_gateway_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "7E3AAECD-1129-48A8-991B-911CCBA28CDA", "versionEndIncluding": "4.7.84", "versionStartIncluding": "4.6.43", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:emerson:wireless_1552wu_gateway:-:*:*:*:*:*:*:*", "matchCriteriaId": "0C7A8A69-4F11-4AF0-9F64-80E34DB4C46E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway."}, {"lang": "es", "value": "Se presenta un fallo en el c\u00f3digo usado para configurar el firewall del gateway interno cuando la funci\u00f3n VLAN del gateway est\u00e1 activada. Si un usuario habilita la configuraci\u00f3n de la VLAN, el firewall del gateway interna se desactiva, resultando en una exposici\u00f3n de todos los puertos usados por el gateway"}], "id": "CVE-2020-12030", "lastModified": "2024-11-21T04:59:08.803", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-29T20:15:07.870", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}