CVE-2020-35587 - OpenCVE

In Solstice Pod before 3.0.3, the firmware can easily be decompiled/disassembled. The decompiled/disassembled files contain non-obfuscated code. NOTE: it is unclear whether lack of obfuscation is directly associated with a negative impact, or instead only facilitates an attack technique

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mersive	Solstice Solstice Firmware

Configuration 1 [-]

AND

cpe:2.3:o:mersive:solstice_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:mersive:solstice:-:*:*:*:*:*:*:*

References

Link	Resource
https://attack.mitre.org/techniques/T1444/	Third Party Advisory
https://documentation.mersive.com/content/pages/release-notes.htm	Release Notes Vendor Advisory
https://github.com/aress31/solstice-pod-cves	Third Party Advisory
https://www.mersive.com/uk/products/solstice/	Product Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-12-23T15:19:28

Updated: 2024-06-04T17:12:13.948Z

Reserved: 2020-12-20T00:00:00

Link: CVE-2020-35587

JSON object: View

NVD Information

Status : Modified

Published: 2020-12-23T16:15:12.950

Modified: 2024-06-04T19:17:01.813

Link: CVE-2020-35587

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Solstice Pod before 3.0.3, the firmware can easily be decompiled/disassembled. The decompiled/disassembled files contain non-obfuscated code. NOTE: it is unclear whether lack of obfuscation is directly associated with a negative impact, or instead only facilitates an attack technique"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-23T15:19:28", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://documentation.mersive.com/content/pages/release-notes.htm"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mersive.com/uk/products/solstice/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/aress31/solstice-pod-cves"}, {"tags": ["x_refsource_MISC"], "url": "https://attack.mitre.org/techniques/T1444/"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-35587", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** In Solstice Pod before 3.0.3, the firmware can easily be decompiled/disassembled. The decompiled/disassembled files contain non-obfuscated code. NOTE: it is unclear whether lack of obfuscation is directly associated with a negative impact, or instead only facilitates an attack technique."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://documentation.mersive.com/content/pages/release-notes.htm", "refsource": "MISC", "url": "https://documentation.mersive.com/content/pages/release-notes.htm"}, {"name": "https://www.mersive.com/uk/products/solstice/", "refsource": "MISC", "url": "https://www.mersive.com/uk/products/solstice/"}, {"name": "https://github.com/aress31/solstice-pod-cves", "refsource": "MISC", "url": "https://github.com/aress31/solstice-pod-cves"}, {"name": "https://attack.mitre.org/techniques/T1444/", "refsource": "MISC", "url": "https://attack.mitre.org/techniques/T1444/"}]}}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-35587", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-26T19:02:45.102955Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:mersive:solstice_pod_firmware:3.0.3:*:*:*:*:*:*:*"], "vendor": "mersive", "product": "solstice_pod_firmware", "versions": [{"status": "affected", "version": "3.0.3"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:12:13.948Z"}}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-35587", "datePublished": "2020-12-23T15:19:28", "dateReserved": "2020-12-20T00:00:00", "dateUpdated": "2024-06-04T17:12:13.948Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mersive:solstice_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "96AE3C80-4EF3-4F59-9A0E-9F969E984D45", "versionEndExcluding": "3.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mersive:solstice:-:*:*:*:*:*:*:*", "matchCriteriaId": "A24B6FEA-2227-4941-8FC8-1741A3376F6B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "In Solstice Pod before 3.0.3, the firmware can easily be decompiled/disassembled. The decompiled/disassembled files contain non-obfuscated code. NOTE: it is unclear whether lack of obfuscation is directly associated with a negative impact, or instead only facilitates an attack technique"}, {"lang": "es", "value": "**EN DISPUTA** En Solstice Pod versiones anteriores a 3.0.3, el firmware puede ser descompilado y desmontado f\u00e1cilmente. Los archivos descompilados y desensamblados contienen c\u00f3digo no ofuscado. NOTA: no est\u00e1 claro si la falta de ofuscaci\u00f3n est\u00e1 directamente asociada con un impacto negativo o, en cambio, solo facilita una t\u00e9cnica de ataque"}], "id": "CVE-2020-35587", "lastModified": "2024-06-04T19:17:01.813", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-23T16:15:12.950", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://attack.mitre.org/techniques/T1444/"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://documentation.mersive.com/content/pages/release-notes.htm"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/aress31/solstice-pod-cves"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://www.mersive.com/uk/products/solstice/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}