ID

VAR-202101-1948


CVE

CVE-2020-28384


TITLE

Solid Edge  Out-of-bounds Vulnerability in Microsoft

Trust: 0.8

sources: JVNDB: JVNDB-2020-015354

DESCRIPTION

A vulnerability has been identified in Solid Edge SE2020 (All Versions < SE2020MP12), Solid Edge SE2021 (All Versions < SE2021MP2). Affected applications lack proper validation of user-supplied data when parsing PAR files. This could lead to a stack based buffer overflow. An attacker could leverage this vulnerability to execute code in the context of the current process. Solid Edge Is vulnerable to an out-of-bounds write.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Solid Edge Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PAR files. Solid Edge is a combination of software tools to solve various product development processes

Trust: 2.79

sources: NVD: CVE-2020-28384 // JVNDB: JVNDB-2020-015354 // ZDI: ZDI-21-076 // CNVD: CNVD-2021-02632

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-02632

AFFECTED PRODUCTS

vendor:siemensmodel:solid edgescope:eqversion:se2020

Trust: 1.0

vendor:siemensmodel:solid edgescope:ltversion:se2020

Trust: 1.0

vendor:siemensmodel:solid edgescope:eqversion:se2021

Trust: 1.0

vendor:シーメンスmodel:solid edgescope:eqversion: -

Trust: 0.8

vendor:シーメンスmodel:solid edgescope:eqversion:se2021mp2

Trust: 0.8

vendor:シーメンスmodel:solid edgescope:eqversion:se2020mp12

Trust: 0.8

vendor:siemensmodel:solid edge viewerscope: - version: -

Trust: 0.7

vendor:siemensmodel:solid edge <se2021mp2scope: - version: -

Trust: 0.6

sources: ZDI: ZDI-21-076 // CNVD: CNVD-2021-02632 // JVNDB: JVNDB-2020-015354 // NVD: CVE-2020-28384

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-28384
value: HIGH

Trust: 1.0

NVD: CVE-2020-28384
value: HIGH

Trust: 0.8

ZDI: CVE-2020-28384
value: HIGH

Trust: 0.7

CNVD: CNVD-2021-02632
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202101-837
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2020-28384
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2021-02632
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-28384
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2020-28384
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2020-28384
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-21-076 // CNVD: CNVD-2021-02632 // JVNDB: JVNDB-2020-015354 // CNNVD: CNNVD-202101-837 // NVD: CVE-2020-28384

PROBLEMTYPE DATA

problemtype:CWE-121

Trust: 1.0

problemtype:CWE-787

Trust: 1.0

problemtype:Out-of-bounds writing (CWE-787) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-015354 // NVD: CVE-2020-28384

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202101-837

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202101-837

PATCH

title:SSA-979834url:https://cert-portal.siemens.com/productcert/pdf/ssa-979834.pdf

Trust: 0.8

title:Siemens has issued an update to correct this vulnerability.url:https://us-cert.cisa.gov/ics/advisories/icsa-21-012-04

Trust: 0.7

title:Patch for Solid Edge stack buffer overflowurl:https://www.cnvd.org.cn/patchInfo/show/244048

Trust: 0.6

title:Siemens Solid Edge Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=139507

Trust: 0.6

sources: ZDI: ZDI-21-076 // CNVD: CNVD-2021-02632 // JVNDB: JVNDB-2020-015354 // CNNVD: CNNVD-202101-837

EXTERNAL IDS

db:NVDid:CVE-2020-28384

Trust: 3.7

db:ZDIid:ZDI-21-076

Trust: 3.1

db:ICS CERTid:ICSA-21-012-04

Trust: 2.4

db:SIEMENSid:SSA-979834

Trust: 2.2

db:ZDIid:ZDI-21-055

Trust: 1.6

db:JVNid:JVNVU91685542

Trust: 0.8

db:JVNDBid:JVNDB-2020-015354

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-11922

Trust: 0.7

db:CNVDid:CNVD-2021-02632

Trust: 0.6

db:AUSCERTid:ESB-2021.0126

Trust: 0.6

db:CNNVDid:CNNVD-202101-837

Trust: 0.6

sources: ZDI: ZDI-21-076 // CNVD: CNVD-2021-02632 // JVNDB: JVNDB-2020-015354 // CNNVD: CNNVD-202101-837 // NVD: CVE-2020-28384

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-012-04

Trust: 3.7

url:https://www.zerodayinitiative.com/advisories/zdi-21-076/

Trust: 2.4

url:https://cert-portal.siemens.com/productcert/pdf/ssa-979834.pdf

Trust: 2.2

url:https://www.zerodayinitiative.com/advisories/zdi-21-055/

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2020-28384

Trust: 1.4

url:https://jvn.jp/vu/jvnvu91685542/

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2021.0126/

Trust: 0.6

sources: ZDI: ZDI-21-076 // CNVD: CNVD-2021-02632 // JVNDB: JVNDB-2020-015354 // CNNVD: CNNVD-202101-837 // NVD: CVE-2020-28384

CREDITS

rgod

Trust: 0.7

sources: ZDI: ZDI-21-076

SOURCES

db:ZDIid:ZDI-21-076
db:CNVDid:CNVD-2021-02632
db:JVNDBid:JVNDB-2020-015354
db:CNNVDid:CNNVD-202101-837
db:NVDid:CVE-2020-28384

LAST UPDATE DATE

2024-08-14T12:05:47.223000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-21-076date:2021-01-20T00:00:00
db:CNVDid:CNVD-2021-02632date:2021-01-13T00:00:00
db:JVNDBid:JVNDB-2020-015354date:2021-09-17T05:28:00
db:CNNVDid:CNNVD-202101-837date:2021-02-18T00:00:00
db:NVDid:CVE-2020-28384date:2021-12-10T21:45:27.490

SOURCES RELEASE DATE

db:ZDIid:ZDI-21-076date:2021-01-20T00:00:00
db:CNVDid:CNVD-2021-02632date:2021-01-13T00:00:00
db:JVNDBid:JVNDB-2020-015354date:2021-09-17T00:00:00
db:CNNVDid:CNNVD-202101-837date:2021-01-12T00:00:00
db:NVDid:CVE-2020-28384date:2021-01-12T21:15:17.917