Sign-up

ID

VAR-202102-0024


CVE

CVE-2020-13555


TITLE

Advantech WebAccess/SCADA  Vulnerability in privilege management

Trust: 0.8

sources: JVNDB: JVNDB-2020-016180

DESCRIPTION

An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In COM Server Application Privilege Escalation, an attacker can either replace binary or loaded modules to execute code with NT SYSTEM privilege. Advantech WebAccess/SCADA Contains a privilege management vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture of Advantech. The software supports dynamic graphic display and real-time data control, and provides functions for remote control and management of automation equipment

Trust: 2.25

sources: NVD: CVE-2020-13555 // JVNDB: JVNDB-2020-016180 // CNVD: CNVD-2021-11308 // VULHUB: VHN-166345

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-11308

AFFECTED PRODUCTS

vendor:advantechmodel:webaccess\/scadascope:eqversion:9.0.1

Trust: 1.0

vendor:アドバンテック株式会社model:webaccess/scadascope:eqversion:9.0.1

Trust: 0.8

vendor:アドバンテック株式会社model:webaccess/scadascope:eqversion: -

Trust: 0.8

vendor:advantechmodel:webaccess/scadascope:eqversion:9.0.1

Trust: 0.6

sources: CNVD: CNVD-2021-11308 // JVNDB: JVNDB-2020-016180 // NVD: CVE-2020-13555

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-13555
value: HIGH

Trust: 1.0

talos-cna@cisco.com: CVE-2020-13555
value: HIGH

Trust: 1.0

NVD: CVE-2020-13555
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-11308
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202102-1263
value: HIGH

Trust: 0.6

VULHUB: VHN-166345
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-13555
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2021-11308
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-166345
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

talos-cna@cisco.com: CVE-2020-13555
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.0
impactScore: 6.0
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2020-13555
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.0
impactScore: 6.0
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2021-11308 // VULHUB: VHN-166345 // JVNDB: JVNDB-2020-016180 // CNNVD: CNNVD-202102-1263 // NVD: CVE-2020-13555 // NVD: CVE-2020-13555

PROBLEMTYPE DATA

problemtype:CWE-276

Trust: 1.1

problemtype:Improper authority management (CWE-269) [NVD Evaluation ]

Trust: 0.8

problemtype:CWE-269

Trust: 0.1

sources: VULHUB: VHN-166345 // JVNDB: JVNDB-2020-016180 // NVD: CVE-2020-13555

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202102-1263

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202102-1263

PATCH

title:WebAccess/SCADAurl:https://www.advantech.com/industrial-automation/webaccess/webaccessscada

Trust: 0.8

title:Advantech WebAccess/SCADA Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=142130

Trust: 0.6

sources: JVNDB: JVNDB-2020-016180 // CNNVD: CNNVD-202102-1263

EXTERNAL IDS

db:TALOSid:TALOS-2020-1169

Trust: 3.1

db:NVDid:CVE-2020-13555

Trust: 3.1

db:JVNDBid:JVNDB-2020-016180

Trust: 0.8

db:CNVDid:CNVD-2021-11308

Trust: 0.6

db:CNNVDid:CNNVD-202102-1263

Trust: 0.6

db:VULHUBid:VHN-166345

Trust: 0.1

sources: CNVD: CNVD-2021-11308 // VULHUB: VHN-166345 // JVNDB: JVNDB-2020-016180 // CNNVD: CNNVD-202102-1263 // NVD: CVE-2020-13555

REFERENCES

url:https://talosintelligence.com/vulnerability_reports/talos-2020-1169

Trust: 3.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-13555

Trust: 1.4

sources: CNVD: CNVD-2021-11308 // VULHUB: VHN-166345 // JVNDB: JVNDB-2020-016180 // CNNVD: CNNVD-202102-1263 // NVD: CVE-2020-13555

CREDITS

Discovered by Yuri Kramarz of Cisco Talos.

Trust: 0.6

sources: CNNVD: CNNVD-202102-1263

SOURCES

db:CNVDid:CNVD-2021-11308
db:VULHUBid:VHN-166345
db:JVNDBid:JVNDB-2020-016180
db:CNNVDid:CNNVD-202102-1263
db:NVDid:CVE-2020-13555

LAST UPDATE DATE

2024-08-14T13:54:15.853000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-11308date:2021-02-22T00:00:00
db:VULHUBid:VHN-166345date:2022-06-29T00:00:00
db:JVNDBid:JVNDB-2020-016180date:2021-11-12T00:59:00
db:CNNVDid:CNNVD-202102-1263date:2022-04-20T00:00:00
db:NVDid:CVE-2020-13555date:2022-06-29T20:22:05.910

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-11308date:2021-02-22T00:00:00
db:VULHUBid:VHN-166345date:2021-02-17T00:00:00
db:JVNDBid:JVNDB-2020-016180date:2021-11-12T00:00:00
db:CNNVDid:CNNVD-202102-1263date:2021-02-16T00:00:00
db:NVDid:CVE-2020-13555date:2021-02-17T19:15:12.590