CVE-2020-24552 - OpenCVE

Atop Technology industrial 3G/4G gateway contains Command Injection vulnerability. Due to insufficient input validation, the device's web management interface allows attackers to inject specific code and execute system commands without privilege.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Atoptechnology	Se5908a Firmware Se5916 Firmware Se5916a Se5908 Se5904d Firmware Se5901 Firmware Se5901b Firmware Se5901 Se5908a Se5904d Se5916 Se5908 Firmware Se5916a Firmware Se5901b

Configuration 1 [-]

AND

cpe:2.3:o:atoptechnology:se5901_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:atoptechnology:se5901:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:atoptechnology:se5901b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:atoptechnology:se5901b:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:atoptechnology:se5904d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:atoptechnology:se5904d:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:atoptechnology:se5908_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:atoptechnology:se5908:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:atoptechnology:se5908a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:atoptechnology:se5908a:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:atoptechnology:se5916_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:atoptechnology:se5916:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:atoptechnology:se5916a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:atoptechnology:se5916a:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.twcert.org.tw/tw/cp-132-3956-608f1-1.html	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: twcert

Published: 2020-09-10T00:00:00

Updated: 2020-09-10T08:40:20

Reserved: 2020-08-20T00:00:00

Link: CVE-2020-24552

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-09-10T09:15:12.097

Modified: 2020-09-16T14:10:52.020

Link: CVE-2020-24552

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway SE5901", "vendor": "Atop Technology", "versions": [{"lessThanOrEqual": "1.4", "status": "affected", "version": "1.18", "versionType": "custom"}]}, {"product": "3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway SE5901B", "vendor": "Atop Technology", "versions": [{"lessThanOrEqual": "1.4", "status": "affected", "version": "1.18", "versionType": "custom"}]}, {"product": "3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway SE5904D", "vendor": "Atop Technology", "versions": [{"lessThanOrEqual": "1.4", "status": "affected", "version": "1.18", "versionType": "custom"}]}, {"product": "3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway SE5908", "vendor": "Atop Technology", "versions": [{"status": "affected", "version": "1.18 1.4"}]}, {"product": "3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway SE5908A", "vendor": "Atop Technology", "versions": [{"status": "affected", "version": "1.18 1.4"}]}, {"product": "3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway SE5916", "vendor": "Atop Technology", "versions": [{"status": "affected", "version": "1.18 1.4"}]}, {"product": "3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway SE5916A", "vendor": "Atop Technology", "versions": [{"status": "affected", "version": "1.18 1.4"}]}], "datePublic": "2020-09-10T00:00:00", "descriptions": [{"lang": "en", "value": "Atop Technology industrial 3G/4G gateway contains Command Injection vulnerability. Due to insufficient input validation, the device's web management interface allows attackers to inject specific code and execute system commands without privilege."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 OS Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-09-10T08:40:20", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-3956-608f1-1.html"}], "solutions": [{"lang": "en", "value": "Update Firmware series to V1.51"}], "source": {"discovery": "UNKNOWN"}, "title": "Atop Technology 3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway - Command Injection", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2020-09-10T08:00:00.000Z", "ID": "CVE-2020-24552", "STATE": "PUBLIC", "TITLE": "Atop Technology 3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway - Command Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway SE5901", "version": {"version_data": [{"version_affected": "<=", "version_name": "1.18", "version_value": "1.4"}]}}, {"product_name": "3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway SE5901B", "version": {"version_data": [{"version_affected": "<=", "version_name": "1.18", "version_value": "1.4"}]}}, {"product_name": "3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway SE5904D", "version": {"version_data": [{"version_affected": "<=", "version_name": "1.18", "version_value": "1.4"}]}}, {"product_name": "3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway SE5908", "version": {"version_data": [{"version_name": "1.18", "version_value": "1.4"}]}}, {"product_name": "3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway SE5908A", "version": {"version_data": [{"version_name": "1.18", "version_value": "1.4"}]}}, {"product_name": "3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway SE5916", "version": {"version_data": [{"version_name": "1.18", "version_value": "1.4"}]}}, {"product_name": "3G/4G LTE Cellular to Ethernet and Serial Secure Industrial Gateway SE5916A", "version": {"version_data": [{"version_name": "1.18", "version_value": "1.4"}]}}]}, "vendor_name": "Atop Technology"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Atop Technology industrial 3G/4G gateway contains Command Injection vulnerability. Due to insufficient input validation, the device's web management interface allows attackers to inject specific code and execute system commands without privilege."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-3956-608f1-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-3956-608f1-1.html"}]}, "solution": [{"lang": "en", "value": "Update Firmware series to V1.51"}], "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2020-24552", "datePublished": "2020-09-10T00:00:00", "dateReserved": "2020-08-20T00:00:00", "dateUpdated": "2020-09-10T08:40:20", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:atoptechnology:se5901_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5918207-0E49-459D-8B9D-C0DC044DE48F", "versionEndIncluding": "1.40", "versionStartIncluding": "1.18", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:atoptechnology:se5901:-:*:*:*:*:*:*:*", "matchCriteriaId": "C79C9A6A-E292-403E-AE7C-8585BF9DF9BF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:atoptechnology:se5901b_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E196C85A-DD61-4AD3-9B3A-606ECD790272", "versionEndIncluding": "1.40", "versionStartIncluding": "1.18", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:atoptechnology:se5901b:-:*:*:*:*:*:*:*", "matchCriteriaId": "F005E3ED-A937-4E22-B7E5-A19D75BFF19E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:atoptechnology:se5904d_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "04A2905F-6CB6-4034-91D4-31C35B818D6D", "versionEndIncluding": "1.40", "versionStartIncluding": "1.18", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:atoptechnology:se5904d:-:*:*:*:*:*:*:*", "matchCriteriaId": "993B0A78-9EF4-4CE3-97BE-83A8E5268DB9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:atoptechnology:se5908_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD9F05F1-E912-4886-9FE8-B41D7B2D9329", "versionEndIncluding": "1.40", "versionStartIncluding": "1.18", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:atoptechnology:se5908:-:*:*:*:*:*:*:*", "matchCriteriaId": "B0A57F74-32C6-45E0-BFE0-27B3FE96AA80", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:atoptechnology:se5908a_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9465E477-471B-4AD5-B997-5A767E87EF93", "versionEndIncluding": "1.40", "versionStartIncluding": "1.18", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:atoptechnology:se5908a:-:*:*:*:*:*:*:*", "matchCriteriaId": "3BDA1AE5-5098-4B1F-B4FD-29F9935DF6E9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:atoptechnology:se5916_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE19B5D8-FBCD-4EAE-9A6B-B50E2742146C", "versionEndIncluding": "1.40", "versionStartIncluding": "1.18", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:atoptechnology:se5916:-:*:*:*:*:*:*:*", "matchCriteriaId": "61C8BC8B-F1F8-4A96-85AB-820101AA570A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:atoptechnology:se5916a_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E2EBD60-4323-4AAB-ABBA-DC4BCD717294", "versionEndIncluding": "1.40", "versionStartIncluding": "1.18", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:atoptechnology:se5916a:-:*:*:*:*:*:*:*", "matchCriteriaId": "2D66FC6D-D307-4BA0-9807-D16C67203053", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Atop Technology industrial 3G/4G gateway contains Command Injection vulnerability. Due to insufficient input validation, the device's web management interface allows attackers to inject specific code and execute system commands without privilege."}, {"lang": "es", "value": "Una puerta de enlace industrial 3G/4G de Atop Technology contiene una vulnerabilidad de Inyecci\u00f3n de Comando. Debido a una comprobaci\u00f3n de entrada insuficiente, la interfaz de administraci\u00f3n web del dispositivo permite a atacantes inyectar c\u00f3digo espec\u00edfico y ejecutar comandos del sistema sin privilegios"}], "id": "CVE-2020-24552", "lastModified": "2020-09-16T14:10:52.020", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "twcert@cert.org.tw", "type": "Secondary"}]}, "published": "2020-09-10T09:15:12.097", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-3956-608f1-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "twcert@cert.org.tw", "type": "Secondary"}]}