CVE-2020-27149 - OpenCVE

By exploiting a vulnerability in NPort IA5150A/IA5250A Series before version 1.5, a user with “Read Only” privilege level can send requests via the web console to have the device’s configuration changed.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Moxa	Nport Ia5450a Nport Ia5450a Firmware Nport Ia5150a Nport Ia5150a Firmware Nport Ia5250a Nport Ia5250a Firmware

Configuration 1 [-]

AND

cpe:2.3:o:moxa:nport_ia5150a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:moxa:nport_ia5150a:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:moxa:nport_ia5250a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:moxa:nport_ia5250a:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:moxa:nport_ia5450a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:moxa:nport_ia5450a:-:*:*:*:*:*:*:*

References

Link	Resource
https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klcert-20-018%2C
https://www.moxa.com/en/support/product-support/security-advisory/nport-ia5000a-serial-device-servers-vulnerabilities	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Kaspersky

Published: 2021-05-14T11:13:37

Updated: 2021-05-14T11:13:37

Reserved: 2020-10-14T00:00:00

Link: CVE-2020-27149

JSON object: View

NVD Information

Status : Modified

Published: 2021-05-14T12:15:07.730

Modified: 2023-11-07T03:20:50.013

Link: CVE-2020-27149

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "NPort IA5000A Series with web console enabled", "vendor": "n/a", "versions": [{"status": "affected", "version": "All versions before 1.5 for NPort IA5150A/IA5250A Series. All version before 2.0 for NPort 5450 Series"}]}], "descriptions": [{"lang": "en", "value": "By exploiting a vulnerability in NPort IA5150A/IA5250A Series before version 1.5, a user with \u201cRead Only\u201d privilege level can send requests via the web console to have the device\u2019s configuration changed."}], "problemTypes": [{"descriptions": [{"description": "Improper Access Control", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-14T11:13:37", "orgId": "e45d732a-8f6b-4b6b-be76-7420f6a2b988", "shortName": "Kaspersky"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klcert-20-018%2C"}, {"tags": ["x_refsource_MISC"], "url": "https://www.moxa.com/en/support/product-support/security-advisory/nport-ia5000a-serial-device-servers-vulnerabilities"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerability@kaspersky.com", "ID": "CVE-2020-27149", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "NPort IA5000A Series with web console enabled", "version": {"version_data": [{"version_value": "All versions before 1.5 for NPort IA5150A/IA5250A Series. All version before 2.0 for NPort 5450 Series"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "By exploiting a vulnerability in NPort IA5150A/IA5250A Series before version 1.5, a user with \u201cRead Only\u201d privilege level can send requests via the web console to have the device\u2019s configuration changed."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klcert-20-018,", "refsource": "MISC", "url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klcert-20-018,"}, {"name": "https://www.moxa.com/en/support/product-support/security-advisory/nport-ia5000a-serial-device-servers-vulnerabilities", "refsource": "MISC", "url": "https://www.moxa.com/en/support/product-support/security-advisory/nport-ia5000a-serial-device-servers-vulnerabilities"}]}}}}, "cveMetadata": {"assignerOrgId": "e45d732a-8f6b-4b6b-be76-7420f6a2b988", "assignerShortName": "Kaspersky", "cveId": "CVE-2020-27149", "datePublished": "2021-05-14T11:13:37", "dateReserved": "2020-10-14T00:00:00", "dateUpdated": "2021-05-14T11:13:37", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:moxa:nport_ia5150a_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFE57EA1-1AA4-41A8-BDFE-723B31F56DC0", "versionEndExcluding": "1.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:moxa:nport_ia5150a:-:*:*:*:*:*:*:*", "matchCriteriaId": "EBA01711-3023-4961-872F-5DB4792C13C3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:moxa:nport_ia5250a_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "56FC63E7-98DF-437C-8A73-F5728F3C794E", "versionEndExcluding": "1.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:moxa:nport_ia5250a:-:*:*:*:*:*:*:*", "matchCriteriaId": "4C7805EF-B929-4DB3-9D68-FEBCD0B69781", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:moxa:nport_ia5450a_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F911D1EE-2963-46D3-AEC4-2EFDDC5469F5", "versionEndExcluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:moxa:nport_ia5450a:-:*:*:*:*:*:*:*", "matchCriteriaId": "D377FBAC-FF5B-4DFB-9ECA-4D148AFE0CDE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "By exploiting a vulnerability in NPort IA5150A/IA5250A Series before version 1.5, a user with \u201cRead Only\u201d privilege level can send requests via the web console to have the device\u2019s configuration changed."}, {"lang": "es", "value": "Al explotar una vulnerabilidad en la Serie NPort IA5150A/IA5250A versiones anteriores a 1.5, un usuario con nivel de privilegio \"Read Only\" puede enviar peticiones mediante la consola web para cambiar la configuraci\u00f3n del dispositivo"}], "id": "CVE-2020-27149", "lastModified": "2023-11-07T03:20:50.013", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-14T12:15:07.730", "references": [{"source": "vulnerability@kaspersky.com", "url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klcert-20-018%2C"}, {"source": "vulnerability@kaspersky.com", "tags": ["Vendor Advisory"], "url": "https://www.moxa.com/en/support/product-support/security-advisory/nport-ia5000a-serial-device-servers-vulnerabilities"}], "sourceIdentifier": "vulnerability@kaspersky.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}