CVE-2020-9435

PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, and TC CLOUD CLIENT 1002-TXTX through 1.03.17 devices contain a hardcoded certificate (and key) that is used by default for web-based services on the device. Impersonation, man-in-the-middle, or passive decryption attacks are possible if the generic certificate is not replaced by a device-specific certificate during installation.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/156729/Phoenix-Contact-TC-Router-TC-Cloud-Client-Command-Injection.html	Exploit Third Party Advisory
http://seclists.org/fulldisclosure/2020/Mar/15	Exploit Third Party Advisory
https://cert.vde.com/en-us/advisories/	Third Party Advisory
https://cert.vde.com/en-us/advisories/vde-2020-003	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:h:phoenixcontact:tc_router_3002t-4g:-:*:*:*:*:*:*:*

cpe:2.3:o:phoenixcontact:tc_router_3002t-4g_firmware:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:h:phoenixcontact:tc_router_2002t-3g:-:*:*:*:*:*:*:*

cpe:2.3:o:phoenixcontact:tc_router_2002t-3g_firmware:*:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:h:phoenixcontact:tc_router_3002t-4g_vzw:-:*:*:*:*:*:*:*

cpe:2.3:o:phoenixcontact:tc_router_3002t-4g_vzw_firmware:*:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:h:phoenixcontact:tc_router_3002t-4g_att:-:*:*:*:*:*:*:*

cpe:2.3:o:phoenixcontact:tc_router_3002t-4g_att_firmware:*:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:h:phoenixcontact:tc_cloud_client_1002-4g:-:*:*:*:*:*:*:*

cpe:2.3:o:phoenixcontact:tc_cloud_client_1002-4g_firmware:*:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:h:phoenixcontact:tc_cloud_client_1002-txtx:-:*:*:*:*:*:*:*

cpe:2.3:o:phoenixcontact:tc_cloud_client_1002-txtx_firmware:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-03-12 14:15

Updated : 2020-03-16 15:47

NVD link : CVE-2020-9435

Mitre link : CVE-2020-9435

CVE.ORG link : CVE-2020-9435

JSON object : View

Products Affected

phoenixcontact

tc_router_3002t-4g_att
tc_cloud_client_1002-txtx_firmware
tc_router_3002t-4g
tc_cloud_client_1002-4g
tc_cloud_client_1002-txtx
tc_router_2002t-3g_firmware
tc_router_3002t-4g_vzw
tc_router_3002t-4g_vzw_firmware
tc_cloud_client_1002-4g_firmware
tc_router_2002t-3g
tc_router_3002t-4g_att_firmware
tc_router_3002t-4g_firmware

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2020-9435", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-03-12T14:15:21.707", "references": [{"url": "http://packetstormsecurity.com/files/156729/Phoenix-Contact-TC-Router-TC-Cloud-Client-Command-Injection.html", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2020/Mar/15", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://cert.vde.com/en-us/advisories/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://cert.vde.com/en-us/advisories/vde-2020-003", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, and TC CLOUD CLIENT 1002-TXTX through 1.03.17 devices contain a hardcoded certificate (and key) that is used by default for web-based services on the device. Impersonation, man-in-the-middle, or passive decryption attacks are possible if the generic certificate is not replaced by a device-specific certificate during installation."}, {"lang": "es", "value": "PHOENIX CONTACT TC ROUTER 3002T-4G versiones hasta 2.05.3, TC ROUTER 2002T-3G versiones hasta 2.05.3, TC ROUTER 3002T-4G VZW versiones hasta 2.05.3, TC ROUTER 3002T-4G ATT versiones hasta 2.05.3, TC CLOUD CLIENTE 1002-4G versiones hasta 2.03.17, y los dispositivos TC CLOUD CLIENTE 1002-TXTX versiones hasta 1.03.17, contienen un certificado embebido (y clave) que es usado por defecto para los servicios basados ??en web en el dispositivo. Los ataques de suplantaci\u00f3n, de tipo man-in-the-middle o de descifrado pasivo son posibles si el certificado gen\u00e9rico no es reemplazado por un certificado espec\u00edfico del dispositivo durante la instalaci\u00f3n."}], "lastModified": "2020-03-16T15:47:07.533", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:tc_router_3002t-4g:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "34273B74-2964-4DDF-B464-6D312528366B"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:tc_router_3002t-4g_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07E46423-DD39-4CC3-8F01-4197F96F198F", "versionEndIncluding": "2.05.3"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:tc_router_2002t-3g:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "48CC1B25-5F26-4FE5-ABFD-A82BED8B8C93"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:tc_router_2002t-3g_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "151B6B99-65C3-4383-A420-E6D16E033176", "versionEndIncluding": "2.05.3"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:tc_router_3002t-4g_vzw:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "CA9B96D9-DBCD-4858-94B1-CFE5AF2DD35E"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:tc_router_3002t-4g_vzw_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E3C40123-D686-4816-9D2C-E55F64D19E6C", "versionEndIncluding": "2.05.3"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:tc_router_3002t-4g_att:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9C2CB341-1DD5-4A74-A6D4-5AA7F01E50BD"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:tc_router_3002t-4g_att_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0433B02A-59BA-4DEA-881B-94F653B6F181", "versionEndIncluding": "2.05.3"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:tc_cloud_client_1002-4g:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C42AB40F-8156-4C5C-86DC-8F10E6C70F4D"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:tc_cloud_client_1002-4g_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D73E3ABC-1897-49E7-9B80-35E787CD0AD9", "versionEndIncluding": "2.03.17"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phoenixcontact:tc_cloud_client_1002-txtx:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B29F8CCF-9CF2-4227-AF2C-84218F1C19E9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phoenixcontact:tc_cloud_client_1002-txtx_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7A9F99AC-E317-4AC7-8AEF-F268ABFE0A49", "versionEndIncluding": "1.03.17"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2020-9435

7.5^/10

5.0^/10

Attach tags to `CVE-2020-9435`