Sign-up

ID

VAR-202005-0949


CVE

CVE-2020-6652


TITLE

Eaton's Intelligent Power Manager Vulnerability related to authority management in

Trust: 0.8

sources: JVNDB: JVNDB-2020-005113

DESCRIPTION

Incorrect Privilege Assignment vulnerability in Eaton's Intelligent Power Manager (IPM) v1.67 & prior allow non-admin users to upload the system configuration files by sending specially crafted requests. This can result in non-admin users manipulating the system configurations via uploading the configurations with incorrect parameters. Eaton's Intelligent Power Manager (IPM) Exists in a privilege management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to escalate privileges on affected installations of Eaton Intelligent Power Manager. Authentication is required to exploit this vulnerability.The specific flaw exists within the mc2 binary. The issue results from the lack of proper validation of user privileges prior to performing privileged actions. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from non-admin users. Eaton Intelligent Power Manager (IPM) is an intelligent power manager made by Eaton, USA. It supports remote monitoring and management of multiple devices in the network from the interface

Trust: 2.88

sources: NVD: CVE-2020-6652 // JVNDB: JVNDB-2020-005113 // ZDI: ZDI-20-650 // CNVD: CNVD-2021-28786 // VULMON: CVE-2020-6652

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-28786

AFFECTED PRODUCTS

vendor:eatonmodel:intelligent power managerscope:lteversion:1.67

Trust: 1.0

vendor:eatonmodel:intelligent power managerscope:eqversion:1.67

Trust: 0.9

vendor:eatonmodel:intelligent power managerscope: - version: -

Trust: 0.7

vendor:eatonmodel:intelligent power managerscope:lteversion:<=1.67

Trust: 0.6

sources: ZDI: ZDI-20-650 // CNVD: CNVD-2021-28786 // VULMON: CVE-2020-6652 // JVNDB: JVNDB-2020-005113 // NVD: CVE-2020-6652

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-6652
value: HIGH

Trust: 1.0

CybersecurityCOE@eaton.com: CVE-2020-6652
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-005113
value: HIGH

Trust: 0.8

ZDI: CVE-2020-6652
value: HIGH

Trust: 0.7

CNVD: CNVD-2021-28786
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202005-252
value: HIGH

Trust: 0.6

VULMON: CVE-2020-6652
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-6652
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-005113
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2021-28786
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-6652
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: JVNDB-2020-005113
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2020-6652
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-20-650 // CNVD: CNVD-2021-28786 // VULMON: CVE-2020-6652 // JVNDB: JVNDB-2020-005113 // CNNVD: CNNVD-202005-252 // NVD: CVE-2020-6652 // NVD: CVE-2020-6652

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.8

problemtype:CWE-266

Trust: 1.0

sources: JVNDB: JVNDB-2020-005113 // NVD: CVE-2020-6652

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202005-252

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202005-252

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-005113

PATCH
title:ETN-VA-2020-1004url:https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf
Trust: 0.8
title:Eaton has issued an update to correct this vulnerability.url:https://www.us-cert.gov/ics/advisories/icsa-20-133-01
Trust: 0.7
title:Patch for Eaton Intelligent Power Manager incorrect permission assignment vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/258931
Trust: 0.6
title:Eaton Intelligent Power Manager Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=117840
Trust: 0.6
sources:
            
            
            ZDI: ZDI-20-650 // 
            
            
            
            CNVD: CNVD-2021-28786 // 
            
            
            
            JVNDB: JVNDB-2020-005113 // 
            
            
            
            CNNVD: CNNVD-202005-252

EXTERNAL IDS
db:NVDid:CVE-2020-6652
Trust: 3.8
db:ZDIid:ZDI-20-650
Trust: 2.4
db:ICS CERTid:ICSA-20-133-01
Trust: 1.4
db:JVNid:JVNVU91250818
Trust: 0.8
db:JVNDBid:JVNDB-2020-005113
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-11085
Trust: 0.7
db:CNVDid:CNVD-2021-28786
Trust: 0.6
db:AUSCERTid:ESB-2020.1678
Trust: 0.6
db:NSFOCUSid:47501
Trust: 0.6
db:CNNVDid:CNNVD-202005-252
Trust: 0.6
db:VULMONid:CVE-2020-6652
Trust: 0.1
sources:
            
            
            ZDI: ZDI-20-650 // 
            
            
            
            CNVD: CNVD-2021-28786 // 
            
            
            
            VULMON: CVE-2020-6652 // 
            
            
            
            JVNDB: JVNDB-2020-005113 // 
            
            
            
            CNNVD: CNNVD-202005-252 // 
            
            
            
            NVD: CVE-2020-6652

REFERENCES
url:https://www.us-cert.gov/ics/advisories/icsa-20-133-01
Trust: 2.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-6652
Trust: 2.0
url:https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-vulnerability-advisory-intelligent-power-manager-v1-1.pdf
Trust: 1.7
url:https://www.zerodayinitiative.com/advisories/zdi-20-650/
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-6652
Trust: 0.8
url:https://jvn.jp/vu/jvnvu91250818/
Trust: 0.8
url:http://www.nsfocus.net/vulndb/47501
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1678/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/269.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            ZDI: ZDI-20-650 // 
            
            
            
            CNVD: CNVD-2021-28786 // 
            
            
            
            VULMON: CVE-2020-6652 // 
            
            
            
            JVNDB: JVNDB-2020-005113 // 
            
            
            
            CNNVD: CNNVD-202005-252 // 
            
            
            
            NVD: CVE-2020-6652

CREDITS
zebasquared
Trust: 0.7
sources:
            
            
            ZDI: ZDI-20-650

SOURCES
db:ZDIid:ZDI-20-650
db:CNVDid:CNVD-2021-28786
db:VULMONid:CVE-2020-6652
db:JVNDBid:JVNDB-2020-005113
db:CNNVDid:CNNVD-202005-252
db:NVDid:CVE-2020-6652

LAST UPDATE DATE
2024-11-23T22:05:38.001000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-20-650date:2020-05-12T00:00:00
db:CNVDid:CNVD-2021-28786date:2021-04-16T00:00:00
db:VULMONid:CVE-2020-6652date:2020-05-12T00:00:00
db:JVNDBid:JVNDB-2020-005113date:2020-06-08T00:00:00
db:CNNVDid:CNNVD-202005-252date:2020-08-07T00:00:00
db:NVDid:CVE-2020-6652date:2024-11-21T05:36:06.013

SOURCES RELEASE DATE
db:ZDIid:ZDI-20-650date:2020-05-12T00:00:00
db:CNVDid:CNVD-2021-28786date:2021-04-16T00:00:00
db:VULMONid:CVE-2020-6652date:2020-05-07T00:00:00
db:JVNDBid:JVNDB-2020-005113date:2020-06-08T00:00:00
db:CNNVDid:CNNVD-202005-252date:2020-05-07T00:00:00
db:NVDid:CVE-2020-6652date:2020-05-07T16:15:11.390