9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.7 High
AI Score
Confidence
High
0.033 Low
EPSS
Percentile
91.4%
Meinberg Lantime devices allow attackers (with privileges to configure a device) to execute arbitrary OS commands by editing the /config/netconf.cmd script (aka Extended Network Configuration). Note: According to the description, the vulnerability requires a fully authenticated super-user account using a webUI function that allows super users to edit a script supposed to execute OS commands. The given weakness enumeration (CWE-78) is not applicable in this case as it refers to abusing functions/input fields not supposed to be accepting OS commands by using 'Special Elements.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(502232);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/03");
script_cve_id("CVE-2020-7240");
script_name(english:"Meinberg LANTIME Remote Code Execution (CVE-2020-7240)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"Meinberg Lantime devices allow attackers (with
privileges to configure a device) to execute arbitrary OS commands by
editing the /config/netconf.cmd script (aka Extended Network
Configuration). Note: According to the description, the vulnerability
requires a fully authenticated super-user account using a webUI
function that allows super users to edit a script supposed to execute
OS commands. The given weakness enumeration (CWE-78) is not applicable
in this case as it refers to abusing functions/input fields not
supposed to be accepting OS commands by using 'Special Elements.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://sku11army.blogspot.com/2020/01/meinberg-lantime-m1000-rce.html");
script_set_attribute(attribute:"see_also", value:"https://wolke.meinberg.de/index.php/s/dKP3PKgFXS6sPRE#pdfviewer");
# https://www.meinbergglobal.com/english/news/meinberg-security-advisory-mbgsa-1902-meinberg-lantime-firmware-v7.htm
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3c796879");
script_set_attribute(attribute:"solution", value:
"Deactivate web interface (deactivate HTTP/HTTPS).
The intended feature that is used in CVE-2020-7240 is only allowed
to super users which have root access. Other authenticated users are
not allowed to use this functionality. Due to the need of the highest
access rights we do not currently plan to change this behavior.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-7240");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(78);
script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/20");
script_set_attribute(attribute:"patch_publication_date", value:"2020/01/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/02");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:ims-lantime_m1000");
script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:ims-lantime_m1000s");
script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:ims-lantime_m3000");
script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:ims-lantime_m3000s");
script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:ims-lantime_m4000");
script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:ims-lantime_m500");
script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:lantime_m100");
script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:lantime_m200");
script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:lantime_m300");
script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:lantime_m400");
script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:lantime_m600");
script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:lantime_m900");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Meinberg");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Meinberg');
var asset = tenable_ot::assets::get(vendor:'Meinberg');
var vuln_cpes = {
"cpe:/h:meinberg:ims-lantime_m1000:v6" :
{"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
"cpe:/h:meinberg:ims-lantime_m1000s:v6" :
{"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
"cpe:/h:meinberg:ims-lantime_m3000:v6" :
{"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
"cpe:/h:meinberg:ims-lantime_m3000s:v6" :
{"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
"cpe:/h:meinberg:ims-lantime_m4000:v6" :
{"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
"cpe:/h:meinberg:ims-lantime_m500:v6" :
{"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
"cpe:/h:meinberg:lantime_m100:v6" :
{"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
"cpe:/h:meinberg:lantime_m200:v6" :
{"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
"cpe:/h:meinberg:lantime_m300:v6" :
{"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
"cpe:/h:meinberg:lantime_m400:v6" :
{"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
"cpe:/h:meinberg:lantime_m600:v6" :
{"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
"cpe:/h:meinberg:lantime_m900:v6" :
{"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
"cpe:/h:meinberg:ims-lantime_m1000:v7" :
{"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
"cpe:/h:meinberg:ims-lantime_m1000s:v7" :
{"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
"cpe:/h:meinberg:ims-lantime_m3000:v7" :
{"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
"cpe:/h:meinberg:ims-lantime_m3000s:v7" :
{"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
"cpe:/h:meinberg:ims-lantime_m4000:v7" :
{"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
"cpe:/h:meinberg:ims-lantime_m500:v7" :
{"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
"cpe:/h:meinberg:lantime_m100:v7" :
{"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
"cpe:/h:meinberg:lantime_m200:v7" :
{"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
"cpe:/h:meinberg:lantime_m300:v7" :
{"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
"cpe:/h:meinberg:lantime_m400:v7" :
{"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
"cpe:/h:meinberg:lantime_m600:v7" :
{"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
"cpe:/h:meinberg:lantime_m900:v7" :
{"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);
Vendor | Product | Version | CPE |
---|---|---|---|
meinberg | ims-lantime_m1000 | cpe:/h:meinberg:ims-lantime_m1000 | |
meinberg | ims-lantime_m1000s | cpe:/h:meinberg:ims-lantime_m1000s | |
meinberg | ims-lantime_m3000 | cpe:/h:meinberg:ims-lantime_m3000 | |
meinberg | ims-lantime_m3000s | cpe:/h:meinberg:ims-lantime_m3000s | |
meinberg | ims-lantime_m4000 | cpe:/h:meinberg:ims-lantime_m4000 | |
meinberg | ims-lantime_m500 | cpe:/h:meinberg:ims-lantime_m500 | |
meinberg | lantime_m100 | cpe:/h:meinberg:lantime_m100 | |
meinberg | lantime_m200 | cpe:/h:meinberg:lantime_m200 | |
meinberg | lantime_m300 | cpe:/h:meinberg:lantime_m300 | |
meinberg | lantime_m400 | cpe:/h:meinberg:lantime_m400 |
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.7 High
AI Score
Confidence
High
0.033 Low
EPSS
Percentile
91.4%