Lucene search

HistoryMay 02, 2024 - 12:00 a.m.

Meinberg LANTIME Remote Code Execution (CVE-2020-7240)

2024-05-0200:00:00

www.tenable.com

meinberg lantime

remote code execution

cve-2020-7240

arbitrary os commands

authenticated users

webui

tenable.ot

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.033 Low

EPSS

Percentile

91.4%

JSON

Meinberg Lantime devices allow attackers (with privileges to configure a device) to execute arbitrary OS commands by editing the /config/netconf.cmd script (aka Extended Network Configuration). Note: According to the description, the vulnerability requires a fully authenticated super-user account using a webUI function that allows super users to edit a script supposed to execute OS commands. The given weakness enumeration (CWE-78) is not applicable in this case as it refers to abusing functions/input fields not supposed to be accepting OS commands by using 'Special Elements.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(502232);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/03");

  script_cve_id("CVE-2020-7240");

  script_name(english:"Meinberg LANTIME Remote Code Execution (CVE-2020-7240)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"Meinberg Lantime devices allow attackers (with
privileges to configure a device) to execute arbitrary OS commands by
editing the /config/netconf.cmd script (aka Extended Network
Configuration). Note: According to the description, the vulnerability
requires a fully authenticated super-user account using a webUI
function that allows super users to edit a script supposed to execute
OS commands. The given weakness enumeration (CWE-78) is not applicable
in this case as it refers to abusing functions/input fields not
supposed to be accepting OS commands by using 'Special Elements.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://sku11army.blogspot.com/2020/01/meinberg-lantime-m1000-rce.html");
  script_set_attribute(attribute:"see_also", value:"https://wolke.meinberg.de/index.php/s/dKP3PKgFXS6sPRE#pdfviewer");
  # https://www.meinbergglobal.com/english/news/meinberg-security-advisory-mbgsa-1902-meinberg-lantime-firmware-v7.htm
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3c796879");
  script_set_attribute(attribute:"solution", value:
"Deactivate web interface (deactivate HTTP/HTTPS).

The intended feature that is used in CVE-2020-7240 is only allowed 
to super users which have root access. Other authenticated users are 
not allowed to use this functionality. Due to the need of the highest 
access rights we do not currently plan to change this behavior.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-7240");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(78);

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/02");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:ims-lantime_m1000");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:ims-lantime_m1000s");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:ims-lantime_m3000");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:ims-lantime_m3000s");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:ims-lantime_m4000");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:ims-lantime_m500");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:lantime_m100");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:lantime_m200");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:lantime_m300");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:lantime_m400");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:lantime_m600");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:meinberg:lantime_m900");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Meinberg");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Meinberg');

var asset = tenable_ot::assets::get(vendor:'Meinberg');

var vuln_cpes = {
    "cpe:/h:meinberg:ims-lantime_m1000:v6" :
        {"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
    "cpe:/h:meinberg:ims-lantime_m1000s:v6" :
        {"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
    "cpe:/h:meinberg:ims-lantime_m3000:v6" :
        {"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
    "cpe:/h:meinberg:ims-lantime_m3000s:v6" :
        {"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
    "cpe:/h:meinberg:ims-lantime_m4000:v6" :
        {"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
    "cpe:/h:meinberg:ims-lantime_m500:v6" :
        {"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
    "cpe:/h:meinberg:lantime_m100:v6" :
        {"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
    "cpe:/h:meinberg:lantime_m200:v6" :
        {"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
    "cpe:/h:meinberg:lantime_m300:v6" :
        {"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
    "cpe:/h:meinberg:lantime_m400:v6" :
        {"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
    "cpe:/h:meinberg:lantime_m600:v6" :
        {"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
    "cpe:/h:meinberg:lantime_m900:v6" :
        {"versionStartIncluding" : "6.0", "versionEndExcluding" : "6.24.024", "family" : "LANTIME"},
    "cpe:/h:meinberg:ims-lantime_m1000:v7" :
        {"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
    "cpe:/h:meinberg:ims-lantime_m1000s:v7" :
        {"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
    "cpe:/h:meinberg:ims-lantime_m3000:v7" :
        {"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
    "cpe:/h:meinberg:ims-lantime_m3000s:v7" :
        {"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
    "cpe:/h:meinberg:ims-lantime_m4000:v7" :
        {"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
    "cpe:/h:meinberg:ims-lantime_m500:v7" :
        {"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
    "cpe:/h:meinberg:lantime_m100:v7" :
        {"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
    "cpe:/h:meinberg:lantime_m200:v7" :
        {"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
    "cpe:/h:meinberg:lantime_m300:v7" :
        {"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
    "cpe:/h:meinberg:lantime_m400:v7" :
        {"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
    "cpe:/h:meinberg:lantime_m600:v7" :
        {"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"},
    "cpe:/h:meinberg:lantime_m900:v7" :
        {"versionStartIncluding" : "7.0", "versionEndExcluding" : "7.00.002", "family" : "LANTIME"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);

VendorProductVersionCPE
meinbergims-lantime_m1000cpe:/h:meinberg:ims-lantime_m1000
meinbergims-lantime_m1000scpe:/h:meinberg:ims-lantime_m1000s
meinbergims-lantime_m3000cpe:/h:meinberg:ims-lantime_m3000
meinbergims-lantime_m3000scpe:/h:meinberg:ims-lantime_m3000s
meinbergims-lantime_m4000cpe:/h:meinberg:ims-lantime_m4000
meinbergims-lantime_m500cpe:/h:meinberg:ims-lantime_m500
meinberglantime_m100cpe:/h:meinberg:lantime_m100
meinberglantime_m200cpe:/h:meinberg:lantime_m200
meinberglantime_m300cpe:/h:meinberg:lantime_m300
meinberglantime_m400cpe:/h:meinberg:lantime_m400

Vendor	Product	CPE
meinberg	ims-lantime_m1000	cpe:/h:meinberg:ims-lantime_m1000
meinberg	ims-lantime_m1000s	cpe:/h:meinberg:ims-lantime_m1000s
meinberg	ims-lantime_m3000	cpe:/h:meinberg:ims-lantime_m3000
meinberg	ims-lantime_m3000s	cpe:/h:meinberg:ims-lantime_m3000s
meinberg	ims-lantime_m4000	cpe:/h:meinberg:ims-lantime_m4000
meinberg	ims-lantime_m500	cpe:/h:meinberg:ims-lantime_m500
meinberg	lantime_m100	cpe:/h:meinberg:lantime_m100
meinberg	lantime_m200	cpe:/h:meinberg:lantime_m200
meinberg	lantime_m300	cpe:/h:meinberg:lantime_m300
meinberg	lantime_m400	cpe:/h:meinberg:lantime_m400

Rows per page:

1-10 of 121

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7240

www.nessus.org/u?3c796879

sku11army.blogspot.com/2020/01/meinberg-lantime-m1000-rce.html

wolke.meinberg.de/index.php/s/dKP3PKgFXS6sPRE#pdfviewer

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.033 Low

EPSS

Percentile

91.4%

JSON

Related for TENABLE_OT_MEINBERG_CVE-2020-7240.NASL