Details of VAR-202011-1011

ID

VAR-202011-1011

CVE

CVE-2020-3392

TITLE

Cisco IoT Field Network Director Vulnerability regarding lack of authentication for critical features in

Trust: 0.8

sources: JVNDB: JVNDB-2020-013739

DESCRIPTION

A vulnerability in the API of Cisco IoT Field Network Director (FND) could allow an unauthenticated, remote attacker to view sensitive information on an affected system. The vulnerability exists because the affected software does not properly authenticate API calls. An attacker could exploit this vulnerability by sending API requests to an affected system. A successful exploit could allow the attacker to view sensitive information on the affected system, including information about the devices that the system manages, without authentication. The system has functions such as equipment management, asset tracking and smart metering

Trust: 2.79

sources: NVD: CVE-2020-3392 // JVNDB: JVNDB-2020-013739 // CNVD: CNVD-2020-72728 // CNNVD: CNNVD-202011-1619 // VULHUB: VHN-181517

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-72728

AFFECTED PRODUCTS

vendor:	cisco	model:	iot field network director	scope:	lt	version:	4.6.1	Trust: 1.6
vendor:	シスコシステムズ	model:	cisco iot field network director	scope:	eq	version:	-	Trust: 0.8

sources: CNVD: CNVD-2020-72728 // JVNDB: JVNDB-2020-013739 // NVD: CVE-2020-3392

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3392
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3392
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-3392
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-72728
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202011-1619
value:	HIGH
Trust: 0.6
VULHUB:	VHN-181517
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-3392
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-72728
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-181517
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2020-3392
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2020-3392
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2020-72728 // VULHUB: VHN-181517 // JVNDB: JVNDB-2020-013739 // CNNVD: CNNVD-202011-1619 // NVD: CVE-2020-3392 // NVD: CVE-2020-3392

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.1
problemtype:	Lack of authentication for important features (CWE-306) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-181517 // JVNDB: JVNDB-2020-013739 // NVD: CVE-2020-3392

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202011-1619

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202011-1619

PATCH

title:	cisco-sa-FND-APIA-xZntFS2V	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-APIA-xZntFS2V	Trust: 0.8
title:	Patch for Cisco IoT Field Network Director access control error vulnerability (CNVD-2020-72728)	url:	https://www.cnvd.org.cn/patchInfo/show/242251	Trust: 0.6
title:	Cisco IoT Field Network Director Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=135512	Trust: 0.6

sources: CNVD: CNVD-2020-72728 // JVNDB: JVNDB-2020-013739 // CNNVD: CNNVD-202011-1619

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3392	Trust: 3.1
db:	JVNDB	id:	JVNDB-2020-013739	Trust: 0.8
db:	CNNVD	id:	CNNVD-202011-1619	Trust: 0.7
db:	CNVD	id:	CNVD-2020-72728	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.4111	Trust: 0.6
db:	VULHUB	id:	VHN-181517	Trust: 0.1

sources: CNVD: CNVD-2020-72728 // VULHUB: VHN-181517 // JVNDB: JVNDB-2020-013739 // CNNVD: CNNVD-202011-1619 // NVD: CVE-2020-3392

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-3392	Trust: 2.0
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-fnd-apia-xzntfs2v	Trust: 1.7
url:	https://www.auscert.org.au/bulletins/esb-2020.4111/	Trust: 0.6

sources: CNVD: CNVD-2020-72728 // VULHUB: VHN-181517 // JVNDB: JVNDB-2020-013739 // CNNVD: CNNVD-202011-1619 // NVD: CVE-2020-3392

SOURCES

db:	CNVD	id:	CNVD-2020-72728
db:	VULHUB	id:	VHN-181517
db:	JVNDB	id:	JVNDB-2020-013739
db:	CNNVD	id:	CNNVD-202011-1619
db:	NVD	id:	CVE-2020-3392

LAST UPDATE DATE

2024-11-23T21:51:12.740000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-72728	date:	2020-12-19T00:00:00
db:	VULHUB	id:	VHN-181517	date:	2020-12-01T00:00:00
db:	JVNDB	id:	JVNDB-2020-013739	date:	2021-07-13T07:51:00
db:	CNNVD	id:	CNNVD-202011-1619	date:	2020-12-02T00:00:00
db:	NVD	id:	CVE-2020-3392	date:	2024-11-21T05:30:56.453

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-72728	date:	2020-12-19T00:00:00
db:	VULHUB	id:	VHN-181517	date:	2020-11-18T00:00:00
db:	JVNDB	id:	JVNDB-2020-013739	date:	2021-07-13T00:00:00
db:	CNNVD	id:	CNNVD-202011-1619	date:	2020-11-18T00:00:00
db:	NVD	id:	CVE-2020-3392	date:	2020-11-18T18:15:12.623