Description
AVE DOMINAplus <=1.10.x suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario.
Affected Software
Related
{"id": "CVE-2020-21996", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-21996", "description": "AVE DOMINAplus <=1.10.x suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario.", "published": "2021-04-28T15:15:00", "modified": "2022-05-03T16:04:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-21996", "reporter": "cve@mitre.org", "references": ["https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5548.php", "https://www.exploit-db.com/exploits/47820"], "cvelist": ["CVE-2020-21996"], "immutableFields": [], "lastseen": "2022-05-06T13:45:49", "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:47820"]}, {"type": "zeroscience", "idList": ["ZSL-2019-5548"]}], "rev": 4}, "score": {"value": 6.2, "vector": "NONE"}, "twitter": {"counter": 4, "modified": "2021-04-29T09:37:08", "tweets": [{"link": "https://twitter.com/www_sesin_at/status/1395116009351155713", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2020-21996 (53ab-wbs_firmware, dominaplus, ts01_firmware, ts03x-v_firmware, ts04x-v_firmware, ts05_firmware, ts05n-v_firmware)) has been published on https://t.co/jUZVm0bav0?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1395116009351155713", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2020-21996 (53ab-wbs_firmware, dominaplus, ts01_firmware, ts03x-v_firmware, ts04x-v_firmware, ts05_firmware, ts05n-v_firmware)) has been published on https://t.co/jUZVm0bav0?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1395116018419343360", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2020-21996 (53ab-wbs_firmware, dominaplus, ts01_firmware, ts03x-v_firmware, ts04x-v_firmware, ts05_firmware, ts05n-v_firmware)) has been published on https://t.co/LALMQxa5SZ?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1395116018419343360", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2020-21996 (53ab-wbs_firmware, dominaplus, ts01_firmware, ts03x-v_firmware, ts04x-v_firmware, ts05_firmware, ts05n-v_firmware)) has been published on https://t.co/LALMQxa5SZ?amp=1"}]}, "backreferences": {"references": [{"type": "zeroscience", "idList": ["ZSL-2019-5548"]}]}, "exploitation": null, "vulnersScore": 6.2}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/o:ave:ts04x-v_firmware:1.10.45a", "cpe:/o:ave:ts05n-v_firmware:-", "cpe:/a:ave:dominaplus:1.10.77", "cpe:/o:ave:ts03x-v_firmware:1.10.45a", "cpe:/o:ave:53ab-wbs_firmware:1.10.62", "cpe:/o:ave:ts05_firmware:1.10.36", "cpe:/o:ave:ts01_firmware:1.0.65"], "cpe23": ["cpe:2.3:o:ave:53ab-wbs_firmware:1.10.62:*:*:*:*:*:*:*", "cpe:2.3:o:ave:ts03x-v_firmware:1.10.45a:*:*:*:*:*:*:*", "cpe:2.3:a:ave:dominaplus:1.10.77:*:*:*:*:*:*:*", "cpe:2.3:o:ave:ts05n-v_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:ave:ts01_firmware:1.0.65:*:*:*:*:*:*:*", "cpe:2.3:o:ave:ts04x-v_firmware:1.10.45a:*:*:*:*:*:*:*", "cpe:2.3:o:ave:ts05_firmware:1.10.36:*:*:*:*:*:*:*"], "cwe": ["CWE-306"], "affectedSoftware": [{"cpeName": "ave:dominaplus", "version": "1.10.77", "operator": "le", "name": "ave dominaplus"}, {"cpeName": "ave:53ab-wbs_firmware", "version": "1.10.62", "operator": "eq", "name": "ave 53ab-wbs firmware"}, {"cpeName": "ave:ts01_firmware", "version": "1.0.65", "operator": "eq", "name": "ave ts01 firmware"}, {"cpeName": "ave:ts03x-v_firmware", "version": "1.10.45a", "operator": "eq", "name": "ave ts03x-v firmware"}, {"cpeName": "ave:ts04x-v_firmware", "version": "1.10.45a", "operator": "eq", "name": "ave ts04x-v firmware"}, {"cpeName": "ave:ts05_firmware", "version": "1.10.36", "operator": "eq", "name": "ave ts05 firmware"}, {"cpeName": "ave:ts05n-v_firmware", "version": "-", "operator": "eq", "name": "ave ts05n-v firmware"}], "affectedConfiguration": [{"name": "ave 53ab-wbs", "cpeName": "ave:53ab-wbs", "version": "-", "operator": "eq"}, {"name": "ave ts01", "cpeName": "ave:ts01", "version": "-", "operator": "eq"}, {"name": "ave ts03x-v", "cpeName": "ave:ts03x-v", "version": "-", "operator": "eq"}, {"name": "ave ts04x-v", "cpeName": "ave:ts04x-v", "version": "-", "operator": "eq"}, {"name": "ave ts05", "cpeName": "ave:ts05", "version": "-", "operator": "eq"}, {"name": "ave ts05n-v", "cpeName": "ave:ts05n-v", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:ave:dominaplus:1.10.77:*:*:*:*:*:*:*", "versionStartIncluding": "1.8.4", "versionEndIncluding": "1.10.77", "cpe_name": []}]}, {"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:ave:53ab-wbs_firmware:1.10.62:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:ave:53ab-wbs:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}, {"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:ave:ts01_firmware:1.0.65:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:ave:ts01:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}, {"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:ave:ts03x-v_firmware:1.10.45a:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:ave:ts03x-v:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}, {"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:ave:ts04x-v_firmware:1.10.45a:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:ave:ts04x-v:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}, {"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:ave:ts05_firmware:1.10.36:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:ave:ts05:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}, {"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:ave:ts05n-v_firmware:-:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:ave:ts05n-v:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5548.php", "name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5548.php", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/47820", "name": "Exploit Database", "refsource": "EXPLOIT-DB", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}
{"zeroscience": [{"lastseen": "2021-12-12T07:55:38", "description": "Title: AVE DOMINAplus <=1.10.x Unauthenticated Remote Reboot \nAdvisory ID: [ZSL-2019-5548](<ZSL-2019-5548.php>) \nType: Local/Remote \nImpact: DoS \nRisk: (3/5) \nRelease Date: 27.12.2019 \n\n\n##### Summary\n\nDOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System. Designed to revolutionize your concept of living. DOMINA plus is the AVE home automation proposal that makes houses safer, more welcoming and optimized. In fact, our home automation system introduces cutting-edge technologies, designed to improve people's lifestyle. DOMINA plus increases comfort, the level of safety and security and offers advanced supervision tools in order to learn how to evaluate and reduce consumption through various solutions dedicated to energy saving. \n\n##### Description\n\nThe application suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario. \n\n##### Vendor\n\nAVE S.p.A. - <https://www.ave.it>\n\n##### Affected Version\n\nWeb Server Code 53AB-WBS - 1.10.62 \nTouch Screen Code TS01 - 1.0.65 \nTouch Screen Code TS03x-V | TS04X-V - 1.10.45a \nTouch Screen Code TS05 - 1.10.36 \nModels: 53AB-WBS \nTS01 \nTS03V \nTS04X-V \nTS05N-V \nApp version: 1.10.77 \nApp version: 1.10.65 \nApp version: 1.10.64 \nApp version: 1.10.62 \nApp version: 1.10.60 \nApp version: 1.10.52 \nApp version: 1.10.52A \nApp version: 1.10.49 \nApp version: 1.10.46 \nApp version: 1.10.45 \nApp version: 1.10.44 \nApp version: 1.10.35 \nApp version: 1.10.25 \nApp version: 1.10.22 \nApp version: 1.10.11 \nApp version: 1.8.4 \nApp version: TS1-1.0.65 \nApp version: TS1-1.0.62 \nApp version: TS1-1.0.44 \nApp version: TS1-1.0.10 \nApp version: TS1-1.0.9 \n\n##### Tested On\n\nGNU/Linux 4.1.19-armv7-x7 \nGNU/Linux 3.8.13-bone50/bone71.1/bone86 \nApache/2.4.7 (Ubuntu) \nApache/2.2.22 (Debian) \nPHP/5.5.9-1ubuntu4.23 \nPHP/5.4.41-0+deb7u1 \nPHP/5.4.36-0+deb7u3 \n\n##### Vendor Status\n\n[06.10.2019] Vulnerability discovered. \n[14.10.2019] Vendor contacted. \n[20.10.2019] No response from the vendor. \n[21.10.2019] Vendor contacted. \n[26.12.2019] No response from the vendor. \n[27.12.2019] Public security advisory released. \n\n##### PoC\n\n[dominaplus_dos.txt](<../../codes/dominaplus_dos.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://packetstormsecurity.com/files/155761> \n[2] <https://www.exploit-db.com/exploits/47820> \n[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/173617> \n[4] <https://cxsecurity.com/issue/WLB-2019120114> \n[5] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21996> \n[6] <https://nvd.nist.gov/vuln/detail/CVE-2020-21996> \n[7] <https://www.tenable.com/cve/CVE-2020-21996>\n\n##### Changelog\n\n[27.12.2019] - Initial release \n[29.12.2019] - Added reference [1] \n[24.01.2020] - Added reference [2], [3] and [4] \n[19.06.2021] - Added reference [5], [6] and [7] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-12-27T00:00:00", "type": "zeroscience", "title": "AVE DOMINAplus <=1.10.x Unauthenticated Remote Reboot", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-21996"], "modified": "2019-12-27T00:00:00", "id": "ZSL-2019-5548", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2019-5548.php", "sourceData": "<html><body><p>AVE DOMINAplus <=1.10.x Unauthenticated Remote Reboot\r\n\r\n\r\nVendor: AVE S.p.A.\r\nProduct web page: https://www.ave.it | https://www.domoticaplus.it\r\nAffected version: Web Server Code 53AB-WBS - 1.10.62\r\n Touch Screen Code TS01 - 1.0.65\r\n Touch Screen Code TS03x-V | TS04X-V - 1.10.45a\r\n Touch Screen Code TS05 - 1.10.36\r\n Models: 53AB-WBS\r\n TS01\r\n TS03V\r\n TS04X-V\r\n TS05N-V\r\n App version: 1.10.77\r\n App version: 1.10.65\r\n App version: 1.10.64\r\n App version: 1.10.62\r\n App version: 1.10.60\r\n App version: 1.10.52\r\n App version: 1.10.52A\r\n App version: 1.10.49\r\n App version: 1.10.46\r\n App version: 1.10.45\r\n App version: 1.10.44\r\n App version: 1.10.35\r\n App version: 1.10.25\r\n App version: 1.10.22\r\n App version: 1.10.11\r\n App version: 1.8.4\r\n App version: TS1-1.0.65\r\n App version: TS1-1.0.62\r\n App version: TS1-1.0.44\r\n App version: TS1-1.0.10\r\n App version: TS1-1.0.9\r\n\r\nSummary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System.\r\nDesigned to revolutionize your concept of living. DOMINA plus is the AVE home\r\nautomation proposal that makes houses safer, more welcoming and optimized. In\r\nfact, our home automation system introduces cutting-edge technologies, designed\r\nto improve people's lifestyle. DOMINA plus increases comfort, the level of safety\r\nand security and offers advanced supervision tools in order to learn how to\r\nevaluate and reduce consumption through various solutions dedicated to energy\r\nsaving.\r\n\r\nDesc: The application suffers from an unauthenticated reboot command execution.\r\nAttackers can exploit this issue to cause a denial of service scenario.\r\n\r\nTested on: GNU/Linux 4.1.19-armv7-x7\r\n GNU/Linux 3.8.13-bone50/bone71.1/bone86\r\n Apache/2.4.7 (Ubuntu)\r\n Apache/2.2.22 (Debian)\r\n PHP/5.5.9-1ubuntu4.23\r\n PHP/5.4.41-0+deb7u1\r\n PHP/5.4.36-0+deb7u3\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2019-5548\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5548.php\r\n\r\n\r\n06.10.2019\r\n\r\n--\r\n\r\ncurl -sk https://192.168.1.10/restart.php >/dev/null\r\n</p></body></html>", "sourceHref": "http://zeroscience.mk/codes/dominaplus_dos.txt", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}
CVE-2020-21996
