cnvd - cnvd-2020-29557

CNVD-2020-29557

Vulnerability from cnvd - Published: 2020-05-15

Title

Opto 22 SoftPAC Project访问控制错误漏洞

Description

Opto 22 SoftPAC Project是美国Opto 22公司的一套自动化软件套件。该产品能够提供工业自动化、过程控制、楼宇自动化、远程监控、数据采集和工业物联网等功能。 Opto 22 SoftPAC Project 9.6及之前版本中存在访问控制错误漏洞，该漏洞源于SoftPACAgent通过22000网络端口与SoftPACMonitor进行通信，但程序并没有对这一开放的端口进行任何限制。攻击者可利用该漏洞控制SoftPACAgent服务，包括更新SoftPAC固件，启动或停止服务或写入某些注册表值。

Severity

中

Patch Name

Opto 22 SoftPAC Project访问控制错误漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.opto22.com/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-10612

Impacted products

Name
Opto22 PAC Control Basic <=9.6

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-10612"
    }
  },
  "description": "Opto 22 SoftPAC Project\u662f\u7f8e\u56fdOpto 22\u516c\u53f8\u7684\u4e00\u5957\u81ea\u52a8\u5316\u8f6f\u4ef6\u5957\u4ef6\u3002\u8be5\u4ea7\u54c1\u80fd\u591f\u63d0\u4f9b\u5de5\u4e1a\u81ea\u52a8\u5316\u3001\u8fc7\u7a0b\u63a7\u5236\u3001\u697c\u5b87\u81ea\u52a8\u5316\u3001\u8fdc\u7a0b\u76d1\u63a7\u3001\u6570\u636e\u91c7\u96c6\u548c\u5de5\u4e1a\u7269\u8054\u7f51\u7b49\u529f\u80fd\u3002\n\nOpto 22 SoftPAC Project 9.6\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eSoftPACAgent\u901a\u8fc722000\u7f51\u7edc\u7aef\u53e3\u4e0eSoftPACMonitor\u8fdb\u884c\u901a\u4fe1\uff0c\u4f46\u7a0b\u5e8f\u5e76\u6ca1\u6709\u5bf9\u8fd9\u4e00\u5f00\u653e\u7684\u7aef\u53e3\u8fdb\u884c\u4efb\u4f55\u9650\u5236\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63a7\u5236SoftPACAgent\u670d\u52a1\uff0c\u5305\u62ec\u66f4\u65b0SoftPAC\u56fa\u4ef6\uff0c\u542f\u52a8\u6216\u505c\u6b62\u670d\u52a1\u6216\u5199\u5165\u67d0\u4e9b\u6ce8\u518c\u8868\u503c\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.opto22.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-29557",
  "openTime": "2020-05-15",
  "patchDescription": "Opto 22 SoftPAC Project\u662f\u7f8e\u56fdOpto 22\u516c\u53f8\u7684\u4e00\u5957\u81ea\u52a8\u5316\u8f6f\u4ef6\u5957\u4ef6\u3002\u8be5\u4ea7\u54c1\u80fd\u591f\u63d0\u4f9b\u5de5\u4e1a\u81ea\u52a8\u5316\u3001\u8fc7\u7a0b\u63a7\u5236\u3001\u697c\u5b87\u81ea\u52a8\u5316\u3001\u8fdc\u7a0b\u76d1\u63a7\u3001\u6570\u636e\u91c7\u96c6\u548c\u5de5\u4e1a\u7269\u8054\u7f51\u7b49\u529f\u80fd\u3002\r\n\r\nOpto 22 SoftPAC Project 9.6\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eSoftPACAgent\u901a\u8fc722000\u7f51\u7edc\u7aef\u53e3\u4e0eSoftPACMonitor\u8fdb\u884c\u901a\u4fe1\uff0c\u4f46\u7a0b\u5e8f\u5e76\u6ca1\u6709\u5bf9\u8fd9\u4e00\u5f00\u653e\u7684\u7aef\u53e3\u8fdb\u884c\u4efb\u4f55\u9650\u5236\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63a7\u5236SoftPACAgent\u670d\u52a1\uff0c\u5305\u62ec\u66f4\u65b0SoftPAC\u56fa\u4ef6\uff0c\u542f\u52a8\u6216\u505c\u6b62\u670d\u52a1\u6216\u5199\u5165\u67d0\u4e9b\u6ce8\u518c\u8868\u503c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Opto 22 SoftPAC Project\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Opto22 PAC Control Basic \u003c=9.6"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-10612",
  "serverity": "\u4e2d",
  "submitTime": "2020-05-15",
  "title": "Opto 22 SoftPAC Project\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2020-10612 (GCVE-0-2020-10612)

Vulnerability from cvelistv5 – Published: 2020-05-14 20:33 – Updated: 2024-08-04 11:06

Summary

Opto 22 SoftPAC Project Version 9.6 and prior. SoftPACAgent communicates with SoftPACMonitor over network Port 22000. However, this port is open without any restrictions. This allows an attacker with network access to control the SoftPACAgent service including updating SoftPAC firmware, starting or stopping service, or writing to certain registry values.

Severity ?

No CVSS data available.

CWE

CWE-284 - IMPROPER ACCESS CONTROL CWE-284

Assigner

icscert

References

URL

Tags

https://www.us-cert.gov/ics/advisories/icsa-20-135-01

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	Opto 22 SoftPAC Project	Affected: SoftPAC Project Version 9.6 and prior

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:06:09.904Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/icsa-20-135-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Opto 22 SoftPAC Project",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "SoftPAC Project Version 9.6 and prior"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Opto 22 SoftPAC Project Version 9.6 and prior. SoftPACAgent communicates with SoftPACMonitor over network Port 22000. However, this port is open without any restrictions. This allows an attacker with network access to control the SoftPACAgent service including updating SoftPAC firmware, starting or stopping service, or writing to certain registry values."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "IMPROPER ACCESS CONTROL CWE-284",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-05-14T20:33:57",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.us-cert.gov/ics/advisories/icsa-20-135-01"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-10612",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Opto 22 SoftPAC Project",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "SoftPAC Project Version 9.6 and prior"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Opto 22 SoftPAC Project Version 9.6 and prior. SoftPACAgent communicates with SoftPACMonitor over network Port 22000. However, this port is open without any restrictions. This allows an attacker with network access to control the SoftPACAgent service including updating SoftPAC firmware, starting or stopping service, or writing to certain registry values."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "IMPROPER ACCESS CONTROL CWE-284"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsa-20-135-01",
              "refsource": "MISC",
              "url": "https://www.us-cert.gov/ics/advisories/icsa-20-135-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2020-10612",
    "datePublished": "2020-05-14T20:33:57",
    "dateReserved": "2020-03-16T00:00:00",
    "dateUpdated": "2024-08-04T11:06:09.904Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-29557

CVE-2020-10612 (GCVE-0-2020-10612)

Tags

Sightings

Nomenclature