CVE-2020-12496

Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive information to an unauthorized actor. The firmware release has a dynamic token for each request submitted to the server, which makes repeating requests and analysis complex enough. Nevertheless, it's possible and during the analysis it was discovered that it also has an issue with the access-control matrix on the server-side. It was found that a user with low rights can get information from endpoints that should not be available to this user.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://cert.vde.com/en-us/advisories/vde-2020-022	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:endress:rsg35_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:endress:rsg35:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:endress:rsg45_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:endress:rsg45:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:endress:orsg35_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:endress:orsg35:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:endress:orsg45_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:endress:orsg45:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-11-19 18:15

Updated : 2024-02-04 21:23

NVD link : CVE-2020-12496

Mitre link : CVE-2020-12496

CVE.ORG link : CVE-2020-12496

JSON object : View

Products Affected

endress

orsg45
rsg45
orsg35
orsg45_firmware
rsg35
orsg35_firmware
rsg35_firmware
rsg45_firmware

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2020-12496", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "info@cert.vde.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-11-19T18:15:13.850", "references": [{"url": "https://cert.vde.com/en-us/advisories/vde-2020-022", "tags": ["Vendor Advisory"], "source": "info@cert.vde.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Secondary", "source": "info@cert.vde.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive information to an unauthorized actor. The firmware release has a dynamic token for each request submitted to the server, which makes repeating requests and analysis complex enough. Nevertheless, it's possible and during the analysis it was discovered that it also has an issue with the access-control matrix on the server-side. It was found that a user with low rights can get information from endpoints that should not be available to this user."}, {"lang": "es", "value": "Endress + Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) y Memograph M (Neutral/Private Label) (RSG45, ORSG45) con la versi\u00f3n de firmware V2.0.0 y superior, es propenso a exponer informaci\u00f3n confidencial a un actor no autorizado. La versi\u00f3n de firmware posee un token din\u00e1mico para cada petici\u00f3n enviada al servidor, lo que hace que las peticiones repetidas y el an\u00e1lisis sean lo suficientemente complejos. Sin embargo, es posible y durante el an\u00e1lisis se detect\u00f3 que tambi\u00e9n tiene un problema con la matriz de control de acceso en el lado del servidor. Se encontr\u00f3 que un usuario con pocos derechos puede obtener informaci\u00f3n de los endpoints que no deber\u00eda estar disponible para este usuario"}], "lastModified": "2020-12-08T18:44:38.097", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:endress:rsg35_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09972345-A856-4BCC-B649-EB93AEC89AB7", "versionEndExcluding": "2.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:endress:rsg35:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2FD4C836-D775-49B1-997C-5F1BE2DA3422"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:endress:rsg45_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A2917E2E-DF23-419A-B1CF-AD39A49DC535", "versionEndExcluding": "2.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:endress:rsg45:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5BE8DDCA-3704-41B9-BE65-467DC0C832E3"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:endress:orsg35_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47846DD8-45BF-4ECD-87C7-77E9CF32689F", "versionEndExcluding": "2.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:endress:orsg35:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BACEE257-8D0A-4EC7-9DC1-D7BFA2606717"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:endress:orsg45_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF6DB41B-E6A6-4E0B-B87E-EDD8FC9AF068", "versionEndExcluding": "2.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:endress:orsg45:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DF859810-2537-4704-91FD-35353063C562"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "info@cert.vde.com"}