CVE-2020-12030 (GCVE-0-2020-12030)

Vulnerability from cvelistv5 – Published: 2021-09-29 19:36 – Updated: 2024-08-04 11:48
VLAI?
Summary
There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway.
Severity ?
10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-284 - IMPROPER ACCESS CONTROL CWE-284
Assigner
References
Impacted products
Vendor Product Version
Emerson Wireless 1410 Gateway Affected: 4.6.43 , ≤ 4.7.84 (custom)
Create a notification for this product.
    Emerson Wireless 1420 Gateway Affected: 4.6.43 , ≤ 4.7.84 (custom)
Create a notification for this product.
    Emerson Wireless 1552WU Gateway Affected: 4.6.43 , ≤ 4.7.84 (custom)
Create a notification for this product.
Credits
Emerson discovered this vulnerability and reported it to CISA once there was a solution.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:48:57.679Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Wireless 1410 Gateway",
          "vendor": "Emerson",
          "versions": [
            {
              "lessThanOrEqual": "4.7.84",
              "status": "affected",
              "version": "4.6.43",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Wireless 1420 Gateway",
          "vendor": "Emerson",
          "versions": [
            {
              "lessThanOrEqual": "4.7.84",
              "status": "affected",
              "version": "4.6.43",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Wireless 1552WU Gateway",
          "vendor": "Emerson",
          "versions": [
            {
              "lessThanOrEqual": "4.7.84",
              "status": "affected",
              "version": "4.6.43",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Emerson discovered this vulnerability and reported it to CISA once there was a solution."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "There is a flaw in the code used to configure the internal gateway firewall when the gateway\u0027s VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": " IMPROPER ACCESS CONTROL CWE-284",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-29T19:36:38",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Emerson recommends end users update the firmware on VLAN-enabled Version 4 gateways as soon as possible.\n\nIf the VLAN feature is not enabled, no immediate action is necessary.\nPlease see Emerson\u2019s cybersecurity notification alert number EMR.RMT20001-1 for more information."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Emerson WirelessHART Gateway",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-12030",
          "STATE": "PUBLIC",
          "TITLE": "Emerson WirelessHART Gateway"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Wireless 1410 Gateway",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "4.6.43",
                            "version_value": "4.7.84"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Wireless 1420 Gateway",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "4.6.43",
                            "version_value": "4.7.84"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Wireless 1552WU Gateway",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "4.6.43",
                            "version_value": "4.7.84"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Emerson"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Emerson discovered this vulnerability and reported it to CISA once there was a solution."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "There is a flaw in the code used to configure the internal gateway firewall when the gateway\u0027s VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": " IMPROPER ACCESS CONTROL CWE-284"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02",
              "refsource": "MISC",
              "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Emerson recommends end users update the firmware on VLAN-enabled Version 4 gateways as soon as possible.\n\nIf the VLAN feature is not enabled, no immediate action is necessary.\nPlease see Emerson\u2019s cybersecurity notification alert number EMR.RMT20001-1 for more information."
          }
        ],
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2020-12030",
    "datePublished": "2021-09-29T19:36:38",
    "dateReserved": "2020-04-21T00:00:00",
    "dateUpdated": "2024-08-04T11:48:57.679Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:emerson:wireless_1410_gateway_firmware:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.6.43\", \"versionEndIncluding\": \"4.7.84\", \"matchCriteriaId\": \"8889B23B-B3B7-4B0C-AEB8-4B4857BA8D30\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:emerson:wireless_1410_gateway:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1DF1A7F9-86E8-4B21-9C98-2E3E0AE3BBBB\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:emerson:wireless_1420_gateway_firmware:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.6.43\", \"versionEndIncluding\": \"4.7.84\", \"matchCriteriaId\": \"25464141-5AE4-48CA-8719-E2B8A170D858\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:emerson:wireless_1420_gateway:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3CEB591C-621A-49A9-BEF0-5854B06490EB\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:emerson:wireless_1552wu_gateway_firmware:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.6.43\", \"versionEndIncluding\": \"4.7.84\", \"matchCriteriaId\": \"7E3AAECD-1129-48A8-991B-911CCBA28CDA\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:emerson:wireless_1552wu_gateway:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0C7A8A69-4F11-4AF0-9F64-80E34DB4C46E\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"There is a flaw in the code used to configure the internal gateway firewall when the gateway\u0027s VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway.\"}, {\"lang\": \"es\", \"value\": \"Se presenta un fallo en el c\\u00f3digo usado para configurar el firewall del gateway interno cuando la funci\\u00f3n VLAN del gateway est\\u00e1 activada. Si un usuario habilita la configuraci\\u00f3n de la VLAN, el firewall del gateway interna se desactiva, resultando en una exposici\\u00f3n de todos los puertos usados por el gateway\"}]",
      "id": "CVE-2020-12030",
      "lastModified": "2024-11-21T04:59:08.803",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 10.0, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 10.0, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 6.0}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-09-29T20:15:07.870",
      "references": "[{\"url\": \"https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-12030\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2021-09-29T20:15:07.870\",\"lastModified\":\"2024-11-21T04:59:08.803\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"There is a flaw in the code used to configure the internal gateway firewall when the gateway\u0027s VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway.\"},{\"lang\":\"es\",\"value\":\"Se presenta un fallo en el c\u00f3digo usado para configurar el firewall del gateway interno cuando la funci\u00f3n VLAN del gateway est\u00e1 activada. Si un usuario habilita la configuraci\u00f3n de la VLAN, el firewall del gateway interna se desactiva, resultando en una exposici\u00f3n de todos los puertos usados por el gateway\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:emerson:wireless_1410_gateway_firmware:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.6.43\",\"versionEndIncluding\":\"4.7.84\",\"matchCriteriaId\":\"8889B23B-B3B7-4B0C-AEB8-4B4857BA8D30\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:emerson:wireless_1410_gateway:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1DF1A7F9-86E8-4B21-9C98-2E3E0AE3BBBB\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:emerson:wireless_1420_gateway_firmware:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.6.43\",\"versionEndIncluding\":\"4.7.84\",\"matchCriteriaId\":\"25464141-5AE4-48CA-8719-E2B8A170D858\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:emerson:wireless_1420_gateway:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3CEB591C-621A-49A9-BEF0-5854B06490EB\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:emerson:wireless_1552wu_gateway_firmware:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.6.43\",\"versionEndIncluding\":\"4.7.84\",\"matchCriteriaId\":\"7E3AAECD-1129-48A8-991B-911CCBA28CDA\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:emerson:wireless_1552wu_gateway:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0C7A8A69-4F11-4AF0-9F64-80E34DB4C46E\"}]}]}],\"references\":[{\"url\":\"https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://us-cert.cisa.gov/ics/advisories/icsa-20-135-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.