VDE-2020-003

Vulnerability from csaf_phoenixcontactgmbhcokg - Published: 2020-03-05 15:58 - Updated: 2025-05-14 12:28
Summary
PHOENIX CONTACT: TC Router and TC Cloud Client multiple vulnerabilities
Notes
Summary: Multiple Vulnerabilities exist in components used by the aforementioned products. See CVE-Details for more information.
Impact: CVE-2017-16544 This Vulnerability could potentially result in code execution, arbitrary file writes, or other attacks. The impact of this vulnerability on the device is limited because shell access is only possible with administrator privileges. CVE-2020-9436 An attacker can abuse this vulnerability to compromise the operating system of the device by injecting system commands. CVE-2020-9435 These attacks could allow an attacker to gain access to sensitive information like admin credentials, configuration parameters or status information and use them in further attacks.
Mitigation: The pre-installed generic X.509 certificate should be renewed or replaced by an individual certificate during initial configuration. For details on replacing this certificate please refer to the user manual on page 51 et seq. Press 'renew' to create a new self-signed device certificate or upload a user specific certificate with the upload dialog. To avoid the manual generation of an individual certificate, the devices will be shipped with individual certificates starting with a future release.
Remediation: Phoenix Contact strongly recommended to update affected devices to newest Firmware version
CVE-2017-16544

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.

8.8 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Mitigation The pre-installed generic X.509 certificate should be renewed or replaced by an individual certificate during initial configuration. For details on replacing this certificate please refer to the user manual on page 51 et seq. Press 'renew' to create a new self-signed device certificate or upload a user specific certificate with the upload dialog. To avoid the manual generation of an individual certificate, the devices will be shipped with individual certificates starting with a future release.
CVE-2020-9436

PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, and TC CLOUD CLIENT 1002-TXTX through 1.03.17 devices allow authenticated users to inject system commands through a modified POST request to a specific URL.

8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Mitigation The pre-installed generic X.509 certificate should be renewed or replaced by an individual certificate during initial configuration. For details on replacing this certificate please refer to the user manual on page 51 et seq. Press 'renew' to create a new self-signed device certificate or upload a user specific certificate with the upload dialog. To avoid the manual generation of an individual certificate, the devices will be shipped with individual certificates starting with a future release.
CVE-2020-9435

PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, and TC CLOUD CLIENT 1002-TXTX through 1.03.17 devices contain a hardcoded certificate (and key) that is used by default for web-based services on the device. Impersonation, man-in-the-middle, or passive decryption attacks are possible if the generic certificate is not replaced by a device-specific certificate during installation.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-798 - Use of Hard-coded Credentials
Mitigation The pre-installed generic X.509 certificate should be renewed or replaced by an individual certificate during initial configuration. For details on replacing this certificate please refer to the user manual on page 51 et seq. Press 'renew' to create a new self-signed device certificate or upload a user specific certificate with the upload dialog. To avoid the manual generation of an individual certificate, the devices will be shipped with individual certificates starting with a future release.
References
Acknowledgments
CERTVDE certvde.com
SEC Consult Vulnerability Lab Thomas Weber sec-consult.com
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERTVDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          "Thomas Weber"
        ],
        "organization": "SEC Consult Vulnerability Lab",
        "summary": "reporting",
        "urls": [
          "https://sec-consult.com"
        ]
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "Multiple Vulnerabilities exist in components used by the aforementioned products. See CVE-Details for more information.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "CVE-2017-16544\nThis Vulnerability could potentially result in code execution, arbitrary file writes, or other attacks.\nThe impact of this vulnerability on the device is limited because shell access is only possible with administrator privileges.\n\nCVE-2020-9436\nAn attacker can abuse this vulnerability to compromise the operating system of the device by injecting system commands.\n\nCVE-2020-9435\nThese attacks could allow an attacker to gain access to sensitive information like admin credentials, configuration parameters or status information and use them in further attacks.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "The pre-installed generic X.509 certificate should be renewed or replaced by an individual certificate during initial configuration. For details on replacing this certificate please refer to the user manual on page 51 et seq. Press \u0027renew\u0027 to create a new self-signed device certificate or upload a user specific certificate with the upload dialog.\n\nTo avoid the manual generation of an individual certificate, the devices will be shipped with individual certificates starting with a future release.",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "Phoenix Contact strongly recommended to update affected devices to newest Firmware version",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@phoenixcontact.com",
      "name": "Phoenix Contact GmbH \u0026 Co. KG",
      "namespace": "https://phoenixcontact.com/psirt"
    },
    "references": [
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Phoenix Contact",
        "url": "https://certvde.com/en/advisories/vendor/phoenixcontact/"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Phoenix Contact",
        "url": "https://certvde.com/en/advisories/vendor/phoenixcontact/"
      },
      {
        "category": "self",
        "summary": "VDE-2020-003: PHOENIX CONTACT: TC Router and TC Cloud Client multiple vulnerabilities - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2020-003/"
      },
      {
        "category": "self",
        "summary": "VDE-2020-003: PHOENIX CONTACT: TC Router and TC Cloud Client multiple vulnerabilities - CSAF",
        "url": "https://phoenixcontact.csaf-tp.certvde.com/.well-known/csaf/white/2020/vde-2020-003.json"
      }
    ],
    "title": "PHOENIX CONTACT: TC Router and TC Cloud Client multiple vulnerabilities",
    "tracking": {
      "aliases": [
        "VDE-2020-003"
      ],
      "current_release_date": "2025-05-14T12:28:19.000Z",
      "generator": {
        "date": "2020-03-05T15:58:00.000Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.10"
        }
      },
      "id": "VDE-2020-003",
      "initial_release_date": "2020-03-05T15:58:00.000Z",
      "revision_history": [
        {
          "date": "2020-03-05T15:58:00.000Z",
          "number": "1",
          "summary": "initial revision"
        },
        {
          "date": "2025-05-14T12:28:19.000Z",
          "number": "2",
          "summary": "Fix: removed ia, added distribution, fixed version"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "TC CLOUD CLIENT 1002-4G",
                "product": {
                  "name": "TC CLOUD CLIENT 1002-4G",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2702886"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "TC CLOUD CLIENT 1002-4G ATT",
                "product": {
                  "name": "TC CLOUD CLIENT 1002-4G ATT",
                  "product_id": "CSAFPID-11002",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2702888"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "TC CLOUD CLIENT 1002-4G VZW",
                "product": {
                  "name": "TC CLOUD CLIENT 1002-4G VZW",
                  "product_id": "CSAFPID-11003",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2702887"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "TC CLOUD CLIENT 1002-TXTX",
                "product": {
                  "name": "TC CLOUD CLIENT 1002-TXTX",
                  "product_id": "CSAFPID-11004",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2702885"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "TC ROUTER 2002T-3G",
                "product": {
                  "name": "TC ROUTER 2002T-3G",
                  "product_id": "CSAFPID-11005",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2702531",
                      "2702529"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "TC ROUTER 3002T-4G",
                "product": {
                  "name": "TC ROUTER 3002T-4G",
                  "product_id": "CSAFPID-11006",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2702528",
                      "2702530"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "TC ROUTER 3002T-4G ATT",
                "product": {
                  "name": "TC ROUTER 3002T-4G ATT",
                  "product_id": "CSAFPID-11007",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2702533"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "TC ROUTER 3002T-4G VZW",
                "product": {
                  "name": "TC ROUTER 3002T-4G VZW",
                  "product_id": "CSAFPID-11008",
                  "product_identification_helper": {
                    "model_numbers": [
                      "2702532"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=2.03.17",
                "product": {
                  "name": "Firmware \u003c=2.03.17",
                  "product_id": "CSAFPID-21001"
                }
              },
              {
                "category": "product_version",
                "name": "2.03.18",
                "product": {
                  "name": "Firmware 2.03.18",
                  "product_id": "CSAFPID-22001"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=1.03.17",
                "product": {
                  "name": "Firmware \u003c=1.03.17",
                  "product_id": "CSAFPID-21004"
                }
              },
              {
                "category": "product_version",
                "name": "1.03.18",
                "product": {
                  "name": "Firmware 1.03.18",
                  "product_id": "CSAFPID-22004"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=2.05.3",
                "product": {
                  "name": "Firmware \u003c=2.05.3",
                  "product_id": "CSAFPID-21005"
                }
              },
              {
                "category": "product_version",
                "name": "2.05.4",
                "product": {
                  "name": "Firmware 2.05.4",
                  "product_id": "CSAFPID-22005"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "PHOENIX CONTACT GmbH \u0026 Co. KG"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005",
          "CSAFPID-31006",
          "CSAFPID-31007",
          "CSAFPID-31008"
        ],
        "summary": "Affected Products"
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004",
          "CSAFPID-32005",
          "CSAFPID-32006",
          "CSAFPID-32007",
          "CSAFPID-32008"
        ],
        "summary": "Fixed Products"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2.03.17 installed on TC CLOUD CLIENT 1002-4G",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2.03.18 installed on TC CLOUD CLIENT 1002-4G",
          "product_id": "CSAFPID-32001"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2.03.17 installed on TC CLOUD CLIENT 1002-4G ATT",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2.03.18 installed on TC CLOUD CLIENT 1002-4G ATT",
          "product_id": "CSAFPID-32002"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2.03.17 installed on TC CLOUD CLIENT 1002-4G VZW",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2.03.18 installed on TC CLOUD CLIENT 1002-4G VZW",
          "product_id": "CSAFPID-32003"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=1.03.17 installed on TC CLOUD CLIENT 1002-TXTX",
          "product_id": "CSAFPID-31004"
        },
        "product_reference": "CSAFPID-21004",
        "relates_to_product_reference": "CSAFPID-11004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 1.03.18 installed on TC CLOUD CLIENT 1002-TXTX",
          "product_id": "CSAFPID-32004"
        },
        "product_reference": "CSAFPID-22004",
        "relates_to_product_reference": "CSAFPID-11004"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2.05.3 installed on TC ROUTER 2002T-3G",
          "product_id": "CSAFPID-31005"
        },
        "product_reference": "CSAFPID-21005",
        "relates_to_product_reference": "CSAFPID-11005"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2.05.4 installed on TC ROUTER 2002T-3G",
          "product_id": "CSAFPID-32005"
        },
        "product_reference": "CSAFPID-22005",
        "relates_to_product_reference": "CSAFPID-11005"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2.05.3 installed on TC ROUTER 3002T-4G",
          "product_id": "CSAFPID-31006"
        },
        "product_reference": "CSAFPID-21005",
        "relates_to_product_reference": "CSAFPID-11006"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2.05.4 installed on TC ROUTER 3002T-4G",
          "product_id": "CSAFPID-32006"
        },
        "product_reference": "CSAFPID-22005",
        "relates_to_product_reference": "CSAFPID-11006"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2.05.3 installed on TC ROUTER 3002T-4G ATT",
          "product_id": "CSAFPID-31007"
        },
        "product_reference": "CSAFPID-21005",
        "relates_to_product_reference": "CSAFPID-11007"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2.05.4 installed on TC ROUTER 3002T-4G ATT",
          "product_id": "CSAFPID-32007"
        },
        "product_reference": "CSAFPID-22005",
        "relates_to_product_reference": "CSAFPID-11007"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2.05.3 installed on TC ROUTER 3002T-4G VZW",
          "product_id": "CSAFPID-31008"
        },
        "product_reference": "CSAFPID-21005",
        "relates_to_product_reference": "CSAFPID-11008"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2.05.4 installed on TC ROUTER 3002T-4G VZW",
          "product_id": "CSAFPID-32008"
        },
        "product_reference": "CSAFPID-22005",
        "relates_to_product_reference": "CSAFPID-11008"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-16544",
      "cwe": {
        "id": "CWE-94",
        "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004",
          "CSAFPID-32005",
          "CSAFPID-32006",
          "CSAFPID-32007",
          "CSAFPID-32008"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005",
          "CSAFPID-31006",
          "CSAFPID-31007",
          "CSAFPID-31008"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "The pre-installed generic X.509 certificate should be renewed or replaced by an individual certificate during initial configuration. For details on replacing this certificate please refer to the user manual on page 51 et seq. Press \u0027renew\u0027 to create a new self-signed device certificate or upload a user specific certificate with the upload dialog.\n\nTo avoid the manual generation of an individual certificate, the devices will be shipped with individual certificates starting with a future release.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004",
            "CSAFPID-31005",
            "CSAFPID-31006",
            "CSAFPID-31007",
            "CSAFPID-31008"
          ]
        }
      ],
      "title": "CVE-2017-16544"
    },
    {
      "cve": "CVE-2020-9436",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, and TC CLOUD CLIENT 1002-TXTX through 1.03.17 devices allow authenticated users to inject system commands through a modified POST request to a specific URL.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004",
          "CSAFPID-32005",
          "CSAFPID-32006",
          "CSAFPID-32007",
          "CSAFPID-32008"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005",
          "CSAFPID-31006",
          "CSAFPID-31007",
          "CSAFPID-31008"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "The pre-installed generic X.509 certificate should be renewed or replaced by an individual certificate during initial configuration. For details on replacing this certificate please refer to the user manual on page 51 et seq. Press \u0027renew\u0027 to create a new self-signed device certificate or upload a user specific certificate with the upload dialog.\n\nTo avoid the manual generation of an individual certificate, the devices will be shipped with individual certificates starting with a future release.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004",
            "CSAFPID-31005",
            "CSAFPID-31006",
            "CSAFPID-31007",
            "CSAFPID-31008"
          ]
        }
      ],
      "title": "CVE-2020-9436"
    },
    {
      "cve": "CVE-2020-9435",
      "cwe": {
        "id": "CWE-798",
        "name": "Use of Hard-coded Credentials"
      },
      "notes": [
        {
          "category": "description",
          "text": "PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, and TC CLOUD CLIENT 1002-TXTX through 1.03.17 devices contain a hardcoded certificate (and key) that is used by default for web-based services on the device. Impersonation, man-in-the-middle, or passive decryption attacks are possible if the generic certificate is not replaced by a device-specific certificate during installation.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003",
          "CSAFPID-32004",
          "CSAFPID-32005",
          "CSAFPID-32006",
          "CSAFPID-32007",
          "CSAFPID-32008"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004",
          "CSAFPID-31005",
          "CSAFPID-31006",
          "CSAFPID-31007",
          "CSAFPID-31008"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "The pre-installed generic X.509 certificate should be renewed or replaced by an individual certificate during initial configuration. For details on replacing this certificate please refer to the user manual on page 51 et seq. Press \u0027renew\u0027 to create a new self-signed device certificate or upload a user specific certificate with the upload dialog.\n\nTo avoid the manual generation of an individual certificate, the devices will be shipped with individual certificates starting with a future release.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.5,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004",
            "CSAFPID-31005",
            "CSAFPID-31006",
            "CSAFPID-31007",
            "CSAFPID-31008"
          ]
        }
      ],
      "title": "CVE-2020-9435"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.