Details of VAR-202011-0704

ID

VAR-202011-0704

CVE

CVE-2020-26072

TITLE

Cisco IoT Field Network Director Vulnerability in privilege management

Trust: 0.8

sources: JVNDB: JVNDB-2020-013472

DESCRIPTION

A vulnerability in the SOAP API of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to access and modify information on devices that belong to a different domain. The vulnerability is due to insufficient authorization in the SOAP API. An attacker could exploit this vulnerability by sending SOAP API requests to affected devices for devices that are outside their authorized domain. A successful exploit could allow the attacker to access and modify information on devices that belong to a different domain. The system has functions such as equipment management, asset tracking and smart metering

Trust: 2.79

sources: NVD: CVE-2020-26072 // JVNDB: JVNDB-2020-013472 // CNVD: CNVD-2020-66208 // CNNVD: CNNVD-202011-1627 // VULHUB: VHN-180114

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-66208

AFFECTED PRODUCTS

vendor:	cisco	model:	iot field network director	scope:	lt	version:	4.6.1	Trust: 1.6
vendor:	シスコシステムズ	model:	cisco iot field network director	scope:	eq	version:	-	Trust: 0.8

sources: CNVD: CNVD-2020-66208 // JVNDB: JVNDB-2020-013472 // NVD: CVE-2020-26072

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-26072
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-26072
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-26072
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-66208
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202011-1627
value:	HIGH
Trust: 0.6
VULHUB:	VHN-180114
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-26072
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-66208
severity:	HIGH
baseScore:	7.7
vectorString:	AV:N/AC:L/AU:M/C:C/I:C/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-180114
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2020-26072
baseSeverity:	HIGH
baseScore:	8.7
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	5.8
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2020-26072
baseSeverity:	HIGH
baseScore:	8.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	5.8
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2020-66208 // VULHUB: VHN-180114 // JVNDB: JVNDB-2020-013472 // CNNVD: CNNVD-202011-1627 // NVD: CVE-2020-26072 // NVD: CVE-2020-26072

PROBLEMTYPE DATA

problemtype:	CWE-269	Trust: 1.1
problemtype:	CWE-284	Trust: 1.0
problemtype:	Improper authority management (CWE-269) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-180114 // JVNDB: JVNDB-2020-013472 // NVD: CVE-2020-26072

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202011-1627

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202011-1627

PATCH

title:	cisco-sa-FND-AUTH-vEypBmmR	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-AUTH-vEypBmmR	Trust: 0.8
title:	Patch for Cisco IoT Field Network Director SOAP API Authorization Bypass Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/241027	Trust: 0.6
title:	Cisco IoT Field Network Director Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=134795	Trust: 0.6

sources: CNVD: CNVD-2020-66208 // JVNDB: JVNDB-2020-013472 // CNNVD: CNNVD-202011-1627

EXTERNAL IDS

db:	NVD	id:	CVE-2020-26072	Trust: 3.1
db:	JVNDB	id:	JVNDB-2020-013472	Trust: 0.8
db:	CNVD	id:	CNVD-2020-66208	Trust: 0.7
db:	CNNVD	id:	CNNVD-202011-1627	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.4111	Trust: 0.6
db:	VULHUB	id:	VHN-180114	Trust: 0.1

sources: CNVD: CNVD-2020-66208 // VULHUB: VHN-180114 // JVNDB: JVNDB-2020-013472 // CNNVD: CNNVD-202011-1627 // NVD: CVE-2020-26072

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-26072	Trust: 2.0
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-fnd-auth-veypbmmr	Trust: 1.7
url:	https://www.auscert.org.au/bulletins/esb-2020.4111/	Trust: 0.6

sources: CNVD: CNVD-2020-66208 // VULHUB: VHN-180114 // JVNDB: JVNDB-2020-013472 // CNNVD: CNNVD-202011-1627 // NVD: CVE-2020-26072

SOURCES

db:	CNVD	id:	CNVD-2020-66208
db:	VULHUB	id:	VHN-180114
db:	JVNDB	id:	JVNDB-2020-013472
db:	CNNVD	id:	CNNVD-202011-1627
db:	NVD	id:	CVE-2020-26072

LAST UPDATE DATE

2024-11-23T21:51:12.921000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-66208	date:	2020-11-24T00:00:00
db:	VULHUB	id:	VHN-180114	date:	2020-11-25T00:00:00
db:	JVNDB	id:	JVNDB-2020-013472	date:	2021-07-06T09:13:00
db:	CNNVD	id:	CNNVD-202011-1627	date:	2020-11-27T00:00:00
db:	NVD	id:	CVE-2020-26072	date:	2024-11-21T05:19:10.397

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-66208	date:	2020-11-24T00:00:00
db:	VULHUB	id:	VHN-180114	date:	2020-11-18T00:00:00
db:	JVNDB	id:	JVNDB-2020-013472	date:	2021-07-06T00:00:00
db:	CNNVD	id:	CNNVD-202011-1627	date:	2020-11-18T00:00:00
db:	NVD	id:	CVE-2020-26072	date:	2020-11-18T18:15:11.543