fkie_nvd - fkie_cve-2020-10606

FKIE_CVE-2020-10606

Vulnerability from fkie_nvd - Published: 2020-07-24 23:15 - Updated: 2024-11-21 04:55

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

In OSIsoft PI System multiple products and versions, a local attacker can exploit incorrect permissions set by affected PI System software. This exploitation can result in unauthorized information disclosure, deletion, or modification if the local computer also processes PI System data from other users, such as from a shared workstation or terminal server deployment.

References

	URL	Tags
	ics-cert@hq.dhs.gov	https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02	Third Party Advisory, US Government Resource
	af854a3a-2127-422b-91ae-364da2661108	https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02	Third Party Advisory, US Government Resource

Impacted products

Vendor	Product	Version
osisoft	pi_api	*
osisoft	pi_api	*
osisoft	pi_buffer_subsystem	*
osisoft	pi_connector	*
osisoft	pi_connector	*
osisoft	pi_connector	*
osisoft	pi_connector	*
osisoft	pi_connector	*
osisoft	pi_connector	*
osisoft	pi_connector	*
osisoft	pi_connector	*
osisoft	pi_connector	*
osisoft	pi_connector	*
osisoft	pi_connector	*
osisoft	pi_connector_relay	*
osisoft	pi_data_archive	*
osisoft	pi_data_collection_manager	*
osisoft	pi_integrator	*
osisoft	pi_interface_configuration_utility	*
osisoft	pi_to_ocs	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:osisoft:pi_api:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D7B554C-447F-4C1B-838F-A6E8F690F6A6",
              "versionEndIncluding": "1.6.8.26",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_api:*:*:*:*:*:windows_integrated_security:*:*",
              "matchCriteriaId": "EDCD07A7-9079-444E-8AF0-EDD2CE8CEED4",
              "versionEndIncluding": "2.0.2.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_buffer_subsystem:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A895F35-CC2E-4B74-99E7-5801C4276336",
              "versionEndIncluding": "4.8.0.18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_connector:*:*:*:*:*:ping:*:*",
              "matchCriteriaId": "19394A8B-C47C-4A1C-8D73-B2FAE624B504",
              "versionEndIncluding": "1.0.0.54",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_connector:*:*:*:*:*:ethernet\\/ip:*:*",
              "matchCriteriaId": "E0889A10-FEFA-422A-81C6-33595076D5B9",
              "versionEndIncluding": "1.1.0.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_connector:*:*:*:*:*:bacnet:*:*",
              "matchCriteriaId": "F024275D-CC0D-40A6-8618-B8C2BCAC3453",
              "versionEndIncluding": "1.2.0.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_connector:*:*:*:*:*:dc_systems_rtscada:*:*",
              "matchCriteriaId": "1634EED8-EE12-4F24-9D79-2108906D5941",
              "versionEndIncluding": "1.2.0.42",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_connector:*:*:*:*:*:siemens_simatic_pcs_7:*:*",
              "matchCriteriaId": "3E4CA46D-C31A-4052-B3F1-755DC273D662",
              "versionEndIncluding": "1.2.1.71",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_connector:*:*:*:*:*:iec_60870-5-104:*:*",
              "matchCriteriaId": "24376704-9C47-4BE7-AB95-1E5E194AD5A9",
              "versionEndIncluding": "1.2.2.79",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_connector:*:*:*:*:*:hart-ip:*:*",
              "matchCriteriaId": "DB0A663F-3C53-43CF-AE8B-C2FD93AE0547",
              "versionEndIncluding": "1.3.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_connector:*:*:*:*:*:opc-ua:*:*",
              "matchCriteriaId": "DC780244-6475-4051-A901-02CF37CD80DC",
              "versionEndIncluding": "1.3.0.130",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_connector:*:*:*:*:*:ufl:*:*",
              "matchCriteriaId": "9912030A-5A3C-4254-B440-D3D8C47432A9",
              "versionEndIncluding": "1.3.1.135",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_connector:*:*:*:*:*:cygnet:*:*",
              "matchCriteriaId": "56274097-C75B-48BB-AA8A-C1213BCD1F37",
              "versionEndIncluding": "1.4.0.17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_connector:*:*:*:*:*:wonderware_historian:*:*",
              "matchCriteriaId": "EEB864E3-549D-4B2D-B89F-74E2F2454BEC",
              "versionEndIncluding": "1.5.0.88",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_connector_relay:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "474D5BE5-759E-4760-A4CC-661019379A47",
              "versionEndIncluding": "2.5.19.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_data_archive:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A918A5B9-40B4-4B00-A9F3-5F2F551447B5",
              "versionEndIncluding": "3.4.430.460",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_data_collection_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C99F2BBE-D5E7-4F6F-B03F-1250F9D31542",
              "versionEndIncluding": "2.5.19.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_integrator:*:*:*:*:*:business_analytics:*:*",
              "matchCriteriaId": "31D2D676-90D7-4516-BCDB-86DE0F34B43B",
              "versionEndIncluding": "2.2.0.183",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_interface_configuration_utility:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "23B33817-C61B-4369-A5B0-A9CAA6E83C62",
              "versionEndIncluding": "1.5.0.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:osisoft:pi_to_ocs:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A0D626AC-1990-4885-AEEB-8E897D6A9FF9",
              "versionEndIncluding": "1.1.36.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In OSIsoft PI System multiple products and versions, a local attacker can exploit incorrect permissions set by affected PI System software. This exploitation can result in unauthorized information disclosure, deletion, or modification if the local computer also processes PI System data from other users, such as from a shared workstation or terminal server deployment."
    },
    {
      "lang": "es",
      "value": "En m\u00faltiples productos y versiones de OSIsoft PI System, un atacante local puede explotar los permisos incorrectos establecidos por el software de PI System afectado. Esta explotaci\u00f3n puede resultar en una divulgaci\u00f3n, eliminaci\u00f3n o modificaci\u00f3n de informaci\u00f3n no autorizada si la computadora local tambi\u00e9n procesa los datos de PI System de otros usuarios, tal y como desde una estaci\u00f3n de trabajo compartida o la implementaci\u00f3n de un servidor terminal"
    }
  ],
  "id": "CVE-2020-10606",
  "lastModified": "2024-11-21T04:55:41.233",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-24T23:15:11.830",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-276"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-276"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2020-10606 (GCVE-0-2020-10606)

Vulnerability from cvelistv5 – Published: 2020-07-24 22:55 – Updated: 2024-08-04 11:06

Summary

Severity ?

No CVSS data available.

CWE

CWE-276 - INCORRECT DEFAULT PERMISSIONS CWE-276

Assigner

icscert

References

URL

Tags

https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	OSIsoft PI System multiple products and versions	Affected: OSIsoft PI System multiple products and versions

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:06:10.081Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OSIsoft PI System multiple products and versions",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "OSIsoft PI System multiple products and versions"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In OSIsoft PI System multiple products and versions, a local attacker can exploit incorrect permissions set by affected PI System software. This exploitation can result in unauthorized information disclosure, deletion, or modification if the local computer also processes PI System data from other users, such as from a shared workstation or terminal server deployment."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-276",
              "description": "INCORRECT DEFAULT PERMISSIONS CWE-276",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-24T22:55:32",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-10606",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "OSIsoft PI System multiple products and versions",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "OSIsoft PI System multiple products and versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In OSIsoft PI System multiple products and versions, a local attacker can exploit incorrect permissions set by affected PI System software. This exploitation can result in unauthorized information disclosure, deletion, or modification if the local computer also processes PI System data from other users, such as from a shared workstation or terminal server deployment."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "INCORRECT DEFAULT PERMISSIONS CWE-276"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
              "refsource": "MISC",
              "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2020-10606",
    "datePublished": "2020-07-24T22:55:32",
    "dateReserved": "2020-03-16T00:00:00",
    "dateUpdated": "2024-08-04T11:06:10.081Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2020-10606

CVE-2020-10606 (GCVE-0-2020-10606)

Tags

Sightings

Nomenclature