cnvd - cnvd-2020-22318

CNVD-2020-22318

Vulnerability from cnvd - Published: 2020-04-10

Title

GE CIMPLICITY权限提升漏洞

Description

GE CIMPLICITY是美国通用电气（GE）公司的一款基于客户端/服务器的HMI/SCADA解决方案。该解决方案能够在企业各个层级之间采集并共享实时和历史数据，实现过程、设备、资源监控的操作可视化。 GE CIMPLICITY存在权限提升漏洞，攻击者可利用该漏洞执行任意代码。

Severity

高

Patch Name

GE CIMPLICITY权限提升漏洞的补丁

Patch Description

GE CIMPLICITY是美国通用电气（GE）公司的一款基于客户端/服务器的HMI/SCADA解决方案。该解决方案能够在企业各个层级之间采集并共享实时和历史数据，实现过程、设备、资源监控的操作可视化。 GE CIMPLICITY存在权限提升漏洞，攻击者可利用该漏洞执行任意代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://digitalsupport.ge.com

Reference

https://www.us-cert.gov/ics/advisories/icsa-20-098-02

Impacted products

Name
GE CIMPLICITY <=v10.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-6992"
    }
  },
  "description": "GE CIMPLICITY\u662f\u7f8e\u56fd\u901a\u7528\u7535\u6c14\uff08GE\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u57fa\u4e8e\u5ba2\u6237\u7aef/\u670d\u52a1\u5668\u7684HMI/SCADA\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u89e3\u51b3\u65b9\u6848\u80fd\u591f\u5728\u4f01\u4e1a\u5404\u4e2a\u5c42\u7ea7\u4e4b\u95f4\u91c7\u96c6\u5e76\u5171\u4eab\u5b9e\u65f6\u548c\u5386\u53f2\u6570\u636e\uff0c\u5b9e\u73b0\u8fc7\u7a0b\u3001\u8bbe\u5907\u3001\u8d44\u6e90\u76d1\u63a7\u7684\u64cd\u4f5c\u53ef\u89c6\u5316\u3002\n\nGE CIMPLICITY\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://digitalsupport.ge.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-22318",
  "openTime": "2020-04-10",
  "patchDescription": "GE CIMPLICITY\u662f\u7f8e\u56fd\u901a\u7528\u7535\u6c14\uff08GE\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u57fa\u4e8e\u5ba2\u6237\u7aef/\u670d\u52a1\u5668\u7684HMI/SCADA\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u89e3\u51b3\u65b9\u6848\u80fd\u591f\u5728\u4f01\u4e1a\u5404\u4e2a\u5c42\u7ea7\u4e4b\u95f4\u91c7\u96c6\u5e76\u5171\u4eab\u5b9e\u65f6\u548c\u5386\u53f2\u6570\u636e\uff0c\u5b9e\u73b0\u8fc7\u7a0b\u3001\u8bbe\u5907\u3001\u8d44\u6e90\u76d1\u63a7\u7684\u64cd\u4f5c\u53ef\u89c6\u5316\u3002\r\n\r\nGE CIMPLICITY\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "GE CIMPLICITY\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "GE CIMPLICITY \u003c=v10.0"
  },
  "referenceLink": "https://www.us-cert.gov/ics/advisories/icsa-20-098-02",
  "serverity": "\u9ad8",
  "submitTime": "2020-04-08",
  "title": "GE CIMPLICITY\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"
}

CVE-2020-6992 (GCVE-0-2020-6992)

Vulnerability from cvelistv5 – Published: 2020-04-15 16:39 – Updated: 2024-08-04 09:18

Summary

A local privilege escalation vulnerability has been identified in the GE Digital CIMPLICITY HMI/SCADA product v10.0 and prior. If exploited, this vulnerability could allow an adversary to modify the system, leading to the arbitrary execution of code. This vulnerability is only exploitable if an attacker has access to an authenticated session. GE Digital CIMPLICITY v11.0, released January 2020, contains mitigation for this local privilege escalation vulnerability. GE Digital recommends all users upgrade to GE CIMPLICITY v11.0 or newer.

Severity ?

No CVSS data available.

CWE

CWE-269 - Improper Privilege Management CWE-269

Assigner

icscert

References

URL

Tags

https://www.us-cert.gov/ics/advisories/icsa-20-098-02

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	GE Digital CIMPLICITY	Affected: v10.0 and prior

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:18:02.457Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/icsa-20-098-02"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GE Digital CIMPLICITY",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "v10.0 and prior"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A local privilege escalation vulnerability has been identified in the GE Digital CIMPLICITY HMI/SCADA product v10.0 and prior. If exploited, this vulnerability could allow an adversary to modify the system, leading to the arbitrary execution of code. This vulnerability is only exploitable if an attacker has access to an authenticated session. GE Digital CIMPLICITY v11.0, released January 2020, contains mitigation for this local privilege escalation vulnerability. GE Digital recommends all users upgrade to GE CIMPLICITY v11.0 or newer."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "Improper Privilege Management CWE-269",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-15T16:39:49",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.us-cert.gov/ics/advisories/icsa-20-098-02"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-6992",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "GE Digital CIMPLICITY",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "v10.0 and prior"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A local privilege escalation vulnerability has been identified in the GE Digital CIMPLICITY HMI/SCADA product v10.0 and prior. If exploited, this vulnerability could allow an adversary to modify the system, leading to the arbitrary execution of code. This vulnerability is only exploitable if an attacker has access to an authenticated session. GE Digital CIMPLICITY v11.0, released January 2020, contains mitigation for this local privilege escalation vulnerability. GE Digital recommends all users upgrade to GE CIMPLICITY v11.0 or newer."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Privilege Management CWE-269"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsa-20-098-02",
              "refsource": "MISC",
              "url": "https://www.us-cert.gov/ics/advisories/icsa-20-098-02"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2020-6992",
    "datePublished": "2020-04-15T16:39:49",
    "dateReserved": "2020-01-14T00:00:00",
    "dateUpdated": "2024-08-04T09:18:02.457Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-22318

CVE-2020-6992 (GCVE-0-2020-6992)

Tags

Sightings

Nomenclature