CVE-2020-5645 - OpenCVE

Session fixation vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version "05.65.00.BD" and earlier, GT1450-QMBDE CoreOS version "05.65.00.BD" and earlier, GT1450-QLBDE CoreOS version "05.65.00.BD" and earlier, GT1455HS-QTBDE CoreOS version "05.65.00.BD" and earlier, and GT1450HS-QMBDE CoreOS version "05.65.00.BD" and earlier) allows a remote unauthenticated attacker to stop the network functions of the products via a specially crafted packet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Mitsubishielectric	Gt1450-qlbde Gt1450-qmbde Coreos Gt1450hs-qmbde Gt1455hs-qtbde Gt1455-qtbde

Configuration 1 [-]

AND

cpe:2.3:o:mitsubishielectric:coreos:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:mitsubishielectric:gt1450-qlbde:-:::::::*
	cpe:2.3:h:mitsubishielectric:gt1450-qmbde:-:::::::*
	cpe:2.3:h:mitsubishielectric:gt1450hs-qmbde:-:::::::*
	cpe:2.3:h:mitsubishielectric:gt1455-qtbde:-:::::::*
	cpe:2.3:h:mitsubishielectric:gt1455hs-qtbde:-:::::::*

References

Link	Resource
https://jvn.jp/vu/JVNVU99562395/index.html	Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-310-02	Third Party Advisory US Government Resource
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf	Vendor Advisory
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jpcert

Published: 2020-11-06T02:06:27

Updated: 2020-11-10T15:14:37

Reserved: 2020-01-06T00:00:00

Link: CVE-2020-5645

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-06T03:15:17.400

Modified: 2020-11-20T17:33:03.770

Link: CVE-2020-5645

JSON object: View

Redhat Information

No data.

CWE

CWE-384

{"containers": {"cna": {"affected": [{"product": "GT14 Model of GOT 1000 series", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "(GT1455-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QLBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1455HS-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, and GT1450HS-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier)"}]}], "descriptions": [{"lang": "en", "value": "Session fixation vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version \"05.65.00.BD\" and earlier, GT1450-QMBDE CoreOS version \"05.65.00.BD\" and earlier, GT1450-QLBDE CoreOS version \"05.65.00.BD\" and earlier, GT1455HS-QTBDE CoreOS version \"05.65.00.BD\" and earlier, and GT1450HS-QMBDE CoreOS version \"05.65.00.BD\" and earlier) allows a remote unauthenticated attacker to stop the network functions of the products via a specially crafted packet."}], "problemTypes": [{"descriptions": [{"description": "Session fixation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-10T15:14:37", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-310-02"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/vu/JVNVU99562395/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2020-5645", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GT14 Model of GOT 1000 series", "version": {"version_data": [{"version_value": "(GT1455-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QLBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1455HS-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, and GT1450HS-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier)"}]}}]}, "vendor_name": "Mitsubishi Electric Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Session fixation vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version \"05.65.00.BD\" and earlier, GT1450-QMBDE CoreOS version \"05.65.00.BD\" and earlier, GT1450-QLBDE CoreOS version \"05.65.00.BD\" and earlier, GT1455HS-QTBDE CoreOS version \"05.65.00.BD\" and earlier, and GT1450HS-QMBDE CoreOS version \"05.65.00.BD\" and earlier) allows a remote unauthenticated attacker to stop the network functions of the products via a specially crafted packet."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Session fixation"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-310-02", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-310-02"}, {"name": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf", "refsource": "MISC", "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf"}, {"name": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf", "refsource": "MISC", "url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf"}, {"name": "https://jvn.jp/vu/JVNVU99562395/index.html", "refsource": "MISC", "url": "https://jvn.jp/vu/JVNVU99562395/index.html"}]}}}}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2020-5645", "datePublished": "2020-11-06T02:06:27", "dateReserved": "2020-01-06T00:00:00", "dateUpdated": "2020-11-10T15:14:37", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mitsubishielectric:coreos:*:*:*:*:*:*:*:*", "matchCriteriaId": "44FA010C-360A-4DE4-8F59-C67EA0569B2A", "versionEndIncluding": "05.65.00.bd", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mitsubishielectric:gt1450-qlbde:-:*:*:*:*:*:*:*", "matchCriteriaId": "F587B0E6-D2B1-47CC-80FE-8004698E4F71", "vulnerable": false}, {"criteria": "cpe:2.3:h:mitsubishielectric:gt1450-qmbde:-:*:*:*:*:*:*:*", "matchCriteriaId": "FF218A1A-4B6D-4510-80A7-CC22B8D027A4", "vulnerable": false}, {"criteria": "cpe:2.3:h:mitsubishielectric:gt1450hs-qmbde:-:*:*:*:*:*:*:*", "matchCriteriaId": "FE9E2C66-4742-4D50-A2AC-AE097BEF7CBE", "vulnerable": false}, {"criteria": "cpe:2.3:h:mitsubishielectric:gt1455-qtbde:-:*:*:*:*:*:*:*", "matchCriteriaId": "D2726AE6-8870-4FB3-B15C-88AAB26FBB9F", "vulnerable": false}, {"criteria": "cpe:2.3:h:mitsubishielectric:gt1455hs-qtbde:-:*:*:*:*:*:*:*", "matchCriteriaId": "3B4C3649-B5DF-4D62-A1EC-4A9DD2CA128A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Session fixation vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version \"05.65.00.BD\" and earlier, GT1450-QMBDE CoreOS version \"05.65.00.BD\" and earlier, GT1450-QLBDE CoreOS version \"05.65.00.BD\" and earlier, GT1455HS-QTBDE CoreOS version \"05.65.00.BD\" and earlier, and GT1450HS-QMBDE CoreOS version \"05.65.00.BD\" and earlier) allows a remote unauthenticated attacker to stop the network functions of the products via a specially crafted packet."}, {"lang": "es", "value": "Vulnerabilidad de fijaci\u00f3n de sesi\u00f3n en la funci\u00f3n TCP/IP incluida en el firmware del modelo GT14 de la serie GOT 1000 (GT1455-QTBDE CoreOS versi\u00f3n '05 .65.00.BD' y anteriores, GT1450-QMBDE CoreOS versi\u00f3n '05 .65.00.BD' y anteriores, GT1450-QLBDE CoreOS versi\u00f3n '05 .65.00.BD' y anteriores, GT1455HS-QTBDE CoreOS versi\u00f3n '05 .65.00.BD' y anteriores, y GT1450HS-QMBDE CoreOS versi\u00f3n '05 .65.00.BD' y anteriores), permite a un atacante no autenticado remoto detener las funciones de red de los productos por medio de un paquete especialmente dise\u00f1ado"}], "id": "CVE-2020-5645", "lastModified": "2020-11-20T17:33:03.770", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-06T03:15:17.400", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/vu/JVNVU99562395/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-310-02"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}]}