CVE-2020-7590 - OpenCVE

A vulnerability has been identified in DCA Vantage Analyzer (All versions < V4.5 are affected by CVE-2020-7590. In addition, serial numbers < 40000 running software V4.4.0 are also affected by CVE-2020-15797). Affected devices use a hard-coded password to protect the onboard database. This could allow an attacker to read and or modify the onboard database. Successful exploitation requires direct physical access to the device.

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Siemens	Dca Vantage Analyzer Firmware Dca Vantage Analyzer

Configuration 1 [-]

AND

cpe:2.3:o:siemens:dca_vantage_analyzer_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:dca_vantage_analyzer:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.siemens-healthineers.com/support-documentation/security-advisory	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: siemens

Published: 2020-10-13T15:30:19

Updated: 2020-10-13T15:30:19

Reserved: 2020-01-21T00:00:00

Link: CVE-2020-7590

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-10-13T16:15:21.780

Modified: 2020-10-29T20:12:50.247

Link: CVE-2020-7590

JSON object: View

Redhat Information

No data.

CWE

CWE-259

{"containers": {"cna": {"affected": [{"product": "DCA Vantage Analyzer", "vendor": "Siemens", "versions": [{"status": "affected", "version": "All versions < V4.5 are affected by CVE-2020-7590. In addition, serial numbers < 40000 running software V4.4.0 are also affected by CVE-2020-15797"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in DCA Vantage Analyzer (All versions < V4.5 are affected by CVE-2020-7590. In addition, serial numbers < 40000 running software V4.4.0 are also affected by CVE-2020-15797). Affected devices use a hard-coded password to protect the onboard database. This could allow an attacker to read and or modify the onboard database. Successful exploitation requires direct physical access to the device."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-259", "description": "CWE-259: Use of Hard-coded Password", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-13T15:30:19", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.siemens-healthineers.com/support-documentation/security-advisory"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productcert@siemens.com", "ID": "CVE-2020-7590", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "DCA Vantage Analyzer", "version": {"version_data": [{"version_value": "All versions < V4.5 are affected by CVE-2020-7590. In addition, serial numbers < 40000 running software V4.4.0 are also affected by CVE-2020-15797"}]}}]}, "vendor_name": "Siemens"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability has been identified in DCA Vantage Analyzer (All versions < V4.5 are affected by CVE-2020-7590. In addition, serial numbers < 40000 running software V4.4.0 are also affected by CVE-2020-15797). Affected devices use a hard-coded password to protect the onboard database. This could allow an attacker to read and or modify the onboard database. Successful exploitation requires direct physical access to the device."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-259: Use of Hard-coded Password"}]}]}, "references": {"reference_data": [{"name": "https://www.siemens-healthineers.com/support-documentation/security-advisory", "refsource": "MISC", "url": "https://www.siemens-healthineers.com/support-documentation/security-advisory"}]}}}}, "cveMetadata": {"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2020-7590", "datePublished": "2020-10-13T15:30:19", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2020-10-13T15:30:19", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:dca_vantage_analyzer_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B4F34A3-AB7B-4528-9F27-3073E25A5176", "versionEndExcluding": "4.5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:dca_vantage_analyzer:-:*:*:*:*:*:*:*", "matchCriteriaId": "EDE5221F-8629-4DC4-AD8A-93EED671469B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in DCA Vantage Analyzer (All versions < V4.5 are affected by CVE-2020-7590. In addition, serial numbers < 40000 running software V4.4.0 are also affected by CVE-2020-15797). Affected devices use a hard-coded password to protect the onboard database. This could allow an attacker to read and or modify the onboard database. Successful exploitation requires direct physical access to the device."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en DCA Vantage Analyzer (todas las versiones anteriores a V4.5 est\u00e1n afectadas por CVE-2020-7590. Adem\u00e1s, los n\u00fameros de serial anteriores a 40000 que ejecutan el software versi\u00f3n V4.4.0 tambi\u00e9n est\u00e1n afectadas por CVE-2020-15797). Los dispositivos afectados usan una contrase\u00f1a embebida para proteger la base de datos integrada. Esto podr\u00eda permitir a un atacante leer o modificar la base de datos integrada. Una explotaci\u00f3n con \u00e9xito requiere acceso f\u00edsico directo al dispositivo"}], "id": "CVE-2020-7590", "lastModified": "2020-10-29T20:12:50.247", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-13T16:15:21.780", "references": [{"source": "productcert@siemens.com", "tags": ["Vendor Advisory"], "url": "https://www.siemens-healthineers.com/support-documentation/security-advisory"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-259"}], "source": "productcert@siemens.com", "type": "Primary"}]}