csaf_certbund - wid-sec-w-2023-1768

WID-SEC-W-2023-1768

Vulnerability from csaf_certbund - Published: 2023-07-17 22:00 - Updated: 2023-07-17 22:00

Summary

Hitachi Command Suite: Schwachstelle ermöglicht Manipulation von Dateien

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Hitachi Command Suite (HCS) ist das zentrale Management Framework für HDS Speicher- und Infrastrukturkomponenten (HDS Speichersysteme).

Angriff

Ein lokaler Angreifer kann eine Schwachstelle in Hitachi Command Suite ausnutzen, um Dateien zu manipulieren.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Hitachi Command Suite (HCS) ist das zentrale Management Framework f\u00fcr HDS Speicher- und Infrastrukturkomponenten (HDS Speichersysteme).",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann eine Schwachstelle in Hitachi Command Suite ausnutzen, um Dateien zu manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-1768 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1768.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-1768 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1768"
      },
      {
        "category": "external",
        "summary": "Hitach Security Advisory 2023-124 vom 2023-07-17",
        "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-124/index.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Hitachi Command Suite: Schwachstelle erm\u00f6glicht Manipulation von Dateien",
    "tracking": {
      "current_release_date": "2023-07-17T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:55:40.984+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-1768",
      "initial_release_date": "2023-07-17T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-07-17T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Hitachi Command Suite \u003c 8.8.5-02",
                "product": {
                  "name": "Hitachi Command Suite \u003c 8.8.5-02",
                  "product_id": "T028654",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hitachi:command_suite:8.8.5-02"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Hitachi Command Suite \u003c 8.8.3-08",
                "product": {
                  "name": "Hitachi Command Suite \u003c 8.8.3-08",
                  "product_id": "T028655",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hitachi:command_suite:8.8.3-08"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Command Suite"
          }
        ],
        "category": "vendor",
        "name": "Hitachi"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-36695",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Hitachi Command Suite. Diese ist auf Fehler im Bezug auf Dateien und Berechtigungen zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren."
        }
      ],
      "release_date": "2023-07-17T22:00:00.000+00:00",
      "title": "CVE-2020-36695"
    }
  ]
}

CVE-2020-36695 (GCVE-0-2020-36695)

Vulnerability from cvelistv5 – Published: 2023-07-18 01:59 – Updated: 2024-10-21 19:04

Summary

Incorrect Default Permissions vulnerability in Hitachi Device Manager on Linux (Device Manager Server component), Hitachi Tiered Storage Manager on Linux, Hitachi Replication Manager on Linux, Hitachi Tuning Manager on Linux (Hitachi Tuning Manager server, Hitachi Tuning Manager - Agent for RAID, Hitachi Tuning Manager - Agent for NAS components), Hitachi Compute Systems Manager on Linux allows File Manipulation.This issue affects Hitachi Device Manager: before 8.8.5-02; Hitachi Tiered Storage Manager: before 8.8.5-02; Hitachi Replication Manager: before 8.8.5-02; Hitachi Tuning Manager: before 8.8.5-02; Hitachi Compute Systems Manager: before 8.8.3-08.

Severity ?

6.6 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

CWE

CWE-276 - Incorrect Default Permissions

Assigner

Hitachi

References

URL

Tags

https://www.hitachi.com/products/it/software/secu…

vendor-advisory

Impacted products

Vendor

Product

Version

Hitachi

Hitachi Device Manager

Affected: 0 , < 8.8.5-02 (custom)

Hitachi	Hitachi Tiered Storage Manager	Affected: 0 , < 8.8.5-02 (custom)
Hitachi	Hitachi Replication Manager	Affected: 0 , < 8.8.5-02 (custom)
Hitachi	Hitachi Tuning Manager	Affected: 0 , < 8.8.5-02 (custom)
Hitachi	Hitachi Compute Systems Manager	Affected: 0 , < 8.8.3-08 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T17:37:05.235Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-124/index.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-36695",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-21T18:55:34.277350Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-21T19:04:12.419Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Device Manager Server"
          ],
          "platforms": [
            "Linux"
          ],
          "product": "Hitachi Device Manager",
          "vendor": "Hitachi",
          "versions": [
            {
              "changes": [
                {
                  "at": "8.8.5-02",
                  "status": "unaffected"
                }
              ],
              "lessThan": "8.8.5-02",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "Hitachi Tiered Storage Manager",
          "vendor": "Hitachi",
          "versions": [
            {
              "changes": [
                {
                  "at": "8.8.5-02",
                  "status": "unaffected"
                }
              ],
              "lessThan": "8.8.5-02",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "Hitachi Replication Manager",
          "vendor": "Hitachi",
          "versions": [
            {
              "changes": [
                {
                  "at": "8.8.5-02",
                  "status": "unaffected"
                }
              ],
              "lessThan": "8.8.5-02",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Hitachi Tuning Manager server",
            "Hitachi Tuning Manager - Agent for RAID",
            "Hitachi Tuning Manager - Agent for NAS"
          ],
          "platforms": [
            "Linux"
          ],
          "product": "Hitachi Tuning Manager",
          "vendor": "Hitachi",
          "versions": [
            {
              "changes": [
                {
                  "at": "8.8.5-02",
                  "status": "unaffected"
                }
              ],
              "lessThan": "8.8.5-02",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "Hitachi Compute Systems Manager",
          "vendor": "Hitachi",
          "versions": [
            {
              "changes": [
                {
                  "at": "8.8.3-08",
                  "status": "unaffected"
                }
              ],
              "lessThan": "8.8.3-08",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Incorrect Default Permissions vulnerability in Hitachi Device Manager on Linux (Device Manager Server component), Hitachi Tiered Storage Manager on Linux, Hitachi Replication Manager on Linux, Hitachi Tuning Manager on Linux (Hitachi Tuning Manager server, Hitachi Tuning Manager - Agent for RAID, Hitachi Tuning Manager - Agent for NAS \n\ncomponents), Hitachi Compute Systems Manager on Linux allows File Manipulation.\u003cp\u003eThis issue affects Hitachi Device Manager: before 8.8.5-02; Hitachi Tiered Storage Manager: before 8.8.5-02; Hitachi Replication Manager: before 8.8.5-02; Hitachi Tuning Manager: before 8.8.5-02; Hitachi Compute Systems Manager: before 8.8.3-08.\u003c/p\u003e"
            }
          ],
          "value": "Incorrect Default Permissions vulnerability in Hitachi Device Manager on Linux (Device Manager Server component), Hitachi Tiered Storage Manager on Linux, Hitachi Replication Manager on Linux, Hitachi Tuning Manager on Linux (Hitachi Tuning Manager server, Hitachi Tuning Manager - Agent for RAID, Hitachi Tuning Manager - Agent for NAS \n\ncomponents), Hitachi Compute Systems Manager on Linux allows File Manipulation.This issue affects Hitachi Device Manager: before 8.8.5-02; Hitachi Tiered Storage Manager: before 8.8.5-02; Hitachi Replication Manager: before 8.8.5-02; Hitachi Tuning Manager: before 8.8.5-02; Hitachi Compute Systems Manager: before 8.8.3-08.\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-165",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-165 File Manipulation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-276",
              "description": "CWE-276 Incorrect Default Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-18T01:59:31.566Z",
        "orgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
        "shortName": "Hitachi"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-124/index.html"
        }
      ],
      "source": {
        "advisory": "hitachi-sec-2023-124",
        "discovery": "UNKNOWN"
      },
      "title": "File and Directory Permission Vulnerability in Hitachi Command Suite",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
    "assignerShortName": "Hitachi",
    "cveId": "CVE-2020-36695",
    "datePublished": "2023-07-18T01:59:31.566Z",
    "dateReserved": "2023-06-06T01:32:00.408Z",
    "dateUpdated": "2024-10-21T19:04:12.419Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2023-1768

CVE-2020-36695 (GCVE-0-2020-36695)

Tags

Sightings

Nomenclature