Sign-up

ID

VAR-202005-0948


CVE

CVE-2020-6651


TITLE

Eaton's Intelligent Power Manager Input verification vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-005112

DESCRIPTION

Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application. Eaton's Intelligent Power Manager (IPM) There are input verification vulnerabilities, and OS Command injection vulnerability existsInformation is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Eaton Intelligent Power Manager. Authentication is required to exploit this vulnerability.The specific flaw exists within system_srv.js. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root on Linux or SYSTEM on Windows. Eaton IPM 1.67 and previous versions have an input validation error vulnerability, which stems from the program's failure to correctly verify the name of the configuration file

Trust: 2.88

sources: NVD: CVE-2020-6651 // JVNDB: JVNDB-2020-005112 // ZDI: ZDI-20-649 // CNVD: CNVD-2020-35496 // VULMON: CVE-2020-6651

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-35496

AFFECTED PRODUCTS

vendor:eatonmodel:intelligent power managerscope:lteversion:1.67

Trust: 1.0

vendor:eatonmodel:intelligent power managerscope:eqversion:1.67

Trust: 0.9

vendor:eatonmodel:intelligent power managerscope: - version: -

Trust: 0.7

vendor:eatonmodel:intelligent power managerscope:lteversion:<=1.67

Trust: 0.6

sources: ZDI: ZDI-20-649 // CNVD: CNVD-2020-35496 // VULMON: CVE-2020-6651 // JVNDB: JVNDB-2020-005112 // NVD: CVE-2020-6651

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-6651
value: HIGH

Trust: 1.0

CybersecurityCOE@eaton.com: CVE-2020-6651
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-005112
value: HIGH

Trust: 0.8

ZDI: CVE-2020-6651
value: HIGH

Trust: 0.7

CNVD: CNVD-2020-35496
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202005-253
value: HIGH

Trust: 0.6

VULMON: CVE-2020-6651
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-6651
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-005112
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-35496
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-6651
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.3
impactScore: 5.9
version: 3.1

Trust: 1.0

CybersecurityCOE@eaton.com: CVE-2020-6651
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-005112
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2020-6651
baseSeverity: HIGH
baseScore: 8.8
vectorString: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-20-649 // CNVD: CNVD-2020-35496 // VULMON: CVE-2020-6651 // JVNDB: JVNDB-2020-005112 // CNNVD: CNNVD-202005-253 // NVD: CVE-2020-6651 // NVD: CVE-2020-6651

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.8

problemtype:CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2020-005112 // NVD: CVE-2020-6651

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202005-253

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202005-253

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-005112

PATCH
title:ETN-VA-2020-1004url:https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf
Trust: 0.8
title:Eaton has issued an update to correct this vulnerability.url:https://www.us-cert.gov/ics/advisories/icsa-20-133-01
Trust: 0.7
title:Patch for Eaton Intelligent Power Manager Input Verification Error Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/224035
Trust: 0.6
title:Eaton Intelligent Power Manager Enter the fix for the verification error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=118624
Trust: 0.6
sources:
            
            
            ZDI: ZDI-20-649 // 
            
            
            
            CNVD: CNVD-2020-35496 // 
            
            
            
            JVNDB: JVNDB-2020-005112 // 
            
            
            
            CNNVD: CNNVD-202005-253

EXTERNAL IDS
db:NVDid:CVE-2020-6651
Trust: 3.8
db:ZDIid:ZDI-20-649
Trust: 2.4
db:ICS CERTid:ICSA-20-133-01
Trust: 1.4
db:JVNid:JVNVU91250818
Trust: 0.8
db:JVNDBid:JVNDB-2020-005112
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-9854
Trust: 0.7
db:CNVDid:CNVD-2020-35496
Trust: 0.6
db:AUSCERTid:ESB-2020.1678
Trust: 0.6
db:NSFOCUSid:47235
Trust: 0.6
db:CNNVDid:CNNVD-202005-253
Trust: 0.6
db:VULMONid:CVE-2020-6651
Trust: 0.1
sources:
            
            
            ZDI: ZDI-20-649 // 
            
            
            
            CNVD: CNVD-2020-35496 // 
            
            
            
            VULMON: CVE-2020-6651 // 
            
            
            
            JVNDB: JVNDB-2020-005112 // 
            
            
            
            CNNVD: CNNVD-202005-253 // 
            
            
            
            NVD: CVE-2020-6651

REFERENCES
url:https://www.us-cert.gov/ics/advisories/icsa-20-133-01
Trust: 2.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-6651
Trust: 2.0
url:https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf
Trust: 1.7
url:https://www.zerodayinitiative.com/advisories/zdi-20-649/
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-6651
Trust: 0.8
url:https://jvn.jp/vu/jvnvu91250818/
Trust: 0.8
url:http://www.nsfocus.net/vulndb/47235
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1678/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/78.html
Trust: 0.1
url:https://cwe.mitre.org/data/definitions/20.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            ZDI: ZDI-20-649 // 
            
            
            
            CNVD: CNVD-2020-35496 // 
            
            
            
            VULMON: CVE-2020-6651 // 
            
            
            
            JVNDB: JVNDB-2020-005112 // 
            
            
            
            CNNVD: CNNVD-202005-253 // 
            
            
            
            NVD: CVE-2020-6651

CREDITS
Sivathmican Sivakumaran of Trend Micro Zero Day Initiative
Trust: 0.7
sources:
            
            
            ZDI: ZDI-20-649

SOURCES
db:ZDIid:ZDI-20-649
db:CNVDid:CNVD-2020-35496
db:VULMONid:CVE-2020-6651
db:JVNDBid:JVNDB-2020-005112
db:CNNVDid:CNNVD-202005-253
db:NVDid:CVE-2020-6651

LAST UPDATE DATE
2024-11-23T22:05:37.964000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-20-649date:2020-05-12T00:00:00
db:CNVDid:CNVD-2020-35496date:2020-07-01T00:00:00
db:VULMONid:CVE-2020-6651date:2020-05-12T00:00:00
db:JVNDBid:JVNDB-2020-005112date:2020-06-08T00:00:00
db:CNNVDid:CNNVD-202005-253date:2020-07-24T00:00:00
db:NVDid:CVE-2020-6651date:2024-11-21T05:36:05.900

SOURCES RELEASE DATE
db:ZDIid:ZDI-20-649date:2020-05-12T00:00:00
db:CNVDid:CNVD-2020-35496date:2020-07-01T00:00:00
db:VULMONid:CVE-2020-6651date:2020-05-07T00:00:00
db:JVNDBid:JVNDB-2020-005112date:2020-06-08T00:00:00
db:CNNVDid:CNNVD-202005-253date:2020-05-07T00:00:00
db:NVDid:CVE-2020-6651date:2020-05-07T16:15:11.313