Details of VAR-202003-0167

ID

VAR-202003-0167

CVE

CVE-2020-10607

TITLE

Advantech WebAccess Out-of-bounds write vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003531

DESCRIPTION

In Advantech WebAccess, Versions 8.4.2 and prior. A stack-based buffer overflow vulnerability caused by a lack of proper validation of the length of user-supplied data may allow remote code execution. Advantech WebAccess Is vulnerable to out-of-bounds writes.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Advantech WebAccess is a set of HMI/SCADA software based on browser architecture of Chinese company Advantech (Advantech). The software supports dynamic graphic display and real-time data control, and provides functions for remote control and management of automated equipment. There is a buffer overflow vulnerability in Advantech WebAccess 8.4.2 and previous versions. The vulnerability stems from the program's failure to correctly verify the length of data submitted by users. Attackers can use this vulnerability to execute code

Trust: 2.79

sources: NVD: CVE-2020-10607 // JVNDB: JVNDB-2020-003531 // CNVD: CNVD-2020-19926 // IVD: d5282d3d-a398-4571-b9bc-da30828c4d30 // IVD: b9a6b9c9-b8df-47a0-90c2-5d1880f27a53 // IVD: fdd0b3f8-3949-42e4-a46f-0b16e2b5e110 // VULHUB: VHN-163102

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.2

sources: IVD: d5282d3d-a398-4571-b9bc-da30828c4d30 // IVD: b9a6b9c9-b8df-47a0-90c2-5d1880f27a53 // IVD: fdd0b3f8-3949-42e4-a46f-0b16e2b5e110 // CNVD: CNVD-2020-19926

AFFECTED PRODUCTS

vendor:	advantech	model:	webaccess	scope:	lte	version:	8.4.2	Trust: 1.0
vendor:	advantech	model:	webaccess	scope:	eq	version:	8.4.2	Trust: 0.8
vendor:	webaccess	model:	-	scope:	eq	version:	*	Trust: 0.6
vendor:	advantech	model:	webaccess	scope:	lte	version:	<=8.4.2	Trust: 0.6

sources: IVD: d5282d3d-a398-4571-b9bc-da30828c4d30 // IVD: b9a6b9c9-b8df-47a0-90c2-5d1880f27a53 // IVD: fdd0b3f8-3949-42e4-a46f-0b16e2b5e110 // CNVD: CNVD-2020-19926 // JVNDB: JVNDB-2020-003531 // NVD: CVE-2020-10607

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-10607
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-003531
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-19926
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202003-1645
value:	HIGH
Trust: 0.6
IVD:	d5282d3d-a398-4571-b9bc-da30828c4d30
value:	HIGH
Trust: 0.2
IVD:	b9a6b9c9-b8df-47a0-90c2-5d1880f27a53
value:	HIGH
Trust: 0.2
IVD:	fdd0b3f8-3949-42e4-a46f-0b16e2b5e110
value:	HIGH
Trust: 0.2
VULHUB:	VHN-163102
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-10607
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-003531
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-19926
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	d5282d3d-a398-4571-b9bc-da30828c4d30
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	b9a6b9c9-b8df-47a0-90c2-5d1880f27a53
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	fdd0b3f8-3949-42e4-a46f-0b16e2b5e110
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-163102
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-10607
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-003531
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: d5282d3d-a398-4571-b9bc-da30828c4d30 // IVD: b9a6b9c9-b8df-47a0-90c2-5d1880f27a53 // IVD: fdd0b3f8-3949-42e4-a46f-0b16e2b5e110 // CNVD: CNVD-2020-19926 // VULHUB: VHN-163102 // JVNDB: JVNDB-2020-003531 // CNNVD: CNNVD-202003-1645 // NVD: CVE-2020-10607

PROBLEMTYPE DATA

problemtype:	CWE-787	Trust: 1.9
problemtype:	CWE-121	Trust: 1.0

sources: VULHUB: VHN-163102 // JVNDB: JVNDB-2020-003531 // NVD: CVE-2020-10607

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-1645

TYPE

Buffer error

Trust: 1.2

sources: IVD: d5282d3d-a398-4571-b9bc-da30828c4d30 // IVD: b9a6b9c9-b8df-47a0-90c2-5d1880f27a53 // IVD: fdd0b3f8-3949-42e4-a46f-0b16e2b5e110 // CNNVD: CNNVD-202003-1645

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-003531

PATCH

title:	Top Page	url:	https://www.advantech.com/	Trust: 0.8
title:	Patch for Advantech WebAccess buffer overflow vulnerability (CNVD-2020-19926)	url:	https://www.cnvd.org.cn/patchInfo/show/211327	Trust: 0.6
title:	Advantech WebAccess Buffer error vulnerability fix	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=113038	Trust: 0.6

sources: CNVD: CNVD-2020-19926 // JVNDB: JVNDB-2020-003531 // CNNVD: CNNVD-202003-1645

EXTERNAL IDS

db:	NVD	id:	CVE-2020-10607	Trust: 3.7
db:	ICS CERT	id:	ICSA-20-086-01	Trust: 3.1
db:	CNVD	id:	CNVD-2020-19926	Trust: 1.3
db:	CNNVD	id:	CNNVD-202003-1645	Trust: 1.3
db:	JVNDB	id:	JVNDB-2020-003531	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.1084	Trust: 0.6
db:	IVD	id:	D5282D3D-A398-4571-B9BC-DA30828C4D30	Trust: 0.2
db:	IVD	id:	B9A6B9C9-B8DF-47A0-90C2-5D1880F27A53	Trust: 0.2
db:	IVD	id:	FDD0B3F8-3949-42E4-A46F-0B16E2B5E110	Trust: 0.2
db:	VULHUB	id:	VHN-163102	Trust: 0.1

sources: IVD: d5282d3d-a398-4571-b9bc-da30828c4d30 // IVD: b9a6b9c9-b8df-47a0-90c2-5d1880f27a53 // IVD: fdd0b3f8-3949-42e4-a46f-0b16e2b5e110 // CNVD: CNVD-2020-19926 // VULHUB: VHN-163102 // JVNDB: JVNDB-2020-003531 // CNNVD: CNNVD-202003-1645 // NVD: CVE-2020-10607

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-20-086-01	Trust: 3.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10607	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10607	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.1084/	Trust: 0.6

sources: CNVD: CNVD-2020-19926 // VULHUB: VHN-163102 // JVNDB: JVNDB-2020-003531 // CNNVD: CNNVD-202003-1645 // NVD: CVE-2020-10607

SOURCES

db:	IVD	id:	d5282d3d-a398-4571-b9bc-da30828c4d30
db:	IVD	id:	b9a6b9c9-b8df-47a0-90c2-5d1880f27a53
db:	IVD	id:	fdd0b3f8-3949-42e4-a46f-0b16e2b5e110
db:	CNVD	id:	CNVD-2020-19926
db:	VULHUB	id:	VHN-163102
db:	JVNDB	id:	JVNDB-2020-003531
db:	CNNVD	id:	CNNVD-202003-1645
db:	NVD	id:	CVE-2020-10607

LAST UPDATE DATE

2024-08-14T14:25:53.464000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-19926	date:	2020-03-29T00:00:00
db:	VULHUB	id:	VHN-163102	date:	2020-04-01T00:00:00
db:	JVNDB	id:	JVNDB-2020-003531	date:	2020-04-17T00:00:00
db:	CNNVD	id:	CNNVD-202003-1645	date:	2020-04-03T00:00:00
db:	NVD	id:	CVE-2020-10607	date:	2020-04-01T13:54:57.343

SOURCES RELEASE DATE

db:	IVD	id:	d5282d3d-a398-4571-b9bc-da30828c4d30	date:	2020-03-26T00:00:00
db:	IVD	id:	b9a6b9c9-b8df-47a0-90c2-5d1880f27a53	date:	2020-03-26T00:00:00
db:	IVD	id:	fdd0b3f8-3949-42e4-a46f-0b16e2b5e110	date:	2020-03-26T00:00:00
db:	CNVD	id:	CNVD-2020-19926	date:	2020-03-28T00:00:00
db:	VULHUB	id:	VHN-163102	date:	2020-03-27T00:00:00
db:	JVNDB	id:	JVNDB-2020-003531	date:	2020-04-17T00:00:00
db:	CNNVD	id:	CNNVD-202003-1645	date:	2020-03-26T00:00:00
db:	NVD	id:	CVE-2020-10607	date:	2020-03-27T14:15:12.463