{"id": "THREATPOST:505C30AE8E8085E4EBC1FED5D6E92995", "type": "threatpost", "bulletinFamily": "info", "title": "NSA Urgently Warns on Industrial Cyberattacks, Triconex Critical Bug", "description": "The U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert warning that adversaries could be targeting critical infrastructure across the U.S.\n\nSeparately, ICS-CERT issued [an advisory](<https://us-cert.cisa.gov/ics/advisories/icsa-20-205-01>) on a critical security bug in the Schneider Electric Triconex TriStation and Tricon Communication Module. These safety instrumented system (SIS) controllers are responsible for shutting down plant operations in the event of a problem and act as an automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire. They\u2019ve been targeted in the past, in the TRITON attack of 2017.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cOver recent months, cyber-actors have demonstrated their continued willingness to conduct malicious cyber-activity against critical infrastructure (CI) by exploiting internet-accessible operational technology (OT) assets,\u201d said the NSA/CISA [joint advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-205a>), released on Thursday. \u201cDue to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression.\u201d\n\n## **Vulnerable OT Systems**\n\nThe advisory goes on to point out that OT systems often consist of legacy equipment that was never designed to be connected to the internet nor defend against malicious cyberactivities. At the same time, more and more utilities, petrochemical installations, factories and so on are looking to increase remote operations. This means conducting various activities over the web using an IT network to connect to the OT side, enabling monitoring, instrumentation and control, OT asset management/maintenance, and in some cases, process operations and maintenance.\n\nGenerally, adversaries are using spearphishing efforts to obtain initial access to the organization\u2019s IT network, before pivoting to the OT network, the advisory added.\n\n\u201cCombined with readily available information that identifies OT assets connected via the internet (e.g., Shodan, Kamerka), are creating a \u2018perfect storm\u2019 of easy access to unsecured assets, use of common, open-source information about devices, and an extensive list of exploits deployable via common exploit frameworks,\u201d the agencies warned.\n\nThe NSA/CISA advisory also detailed that in the wild, several cyberattack attempts have been observed. These include attempts to: Deploy of commodity ransomware on both IT and OT networks; communicate with controllers and downloading modified control logic; use vendor engineering software and program downloads; and modify control logic and parameters on programmable logic controllers (PLCs). PLCs are responsible for directly reading and manipulating physical processes in industrial environments.\n\nIf successful, these efforts could result in an OT network going down, a partial loss of view for human operators, lost productivity and revenue, or, in the worst-case scenario, adversary control and disruption to physical processes.\n\n\u201cCyber campaigns are an ideal way for nation-states to apply pressure on the global stage, because they offer the advantage of plausible deniability plus the rules of engagement are undefined,\u201d Phil Neray, vice president of industrial cybersecurity at CyberX, said via email. \u201cThis NSA/CISA advisory is particularly interesting because it appears to be tied to ongoing campaigns targeting industrial control systems, and it explicitly mentions the need for organizations to protect against sophisticated living-off-the-land tactics such as modifying the control logic in process controllers, which is exactly what we saw in the [TRITON attack](<https://threatpost.com/understanding-triton-and-the-missing-final-stage-of-the-attack/134895/>).\u201d\n\nTwo partial-loss-of-view incidents have been recorded in the U.S. before: One was a ransomware attack [on a pipeline](<https://threatpost.com/pipeline-disrupted-ransomware-attack/153049/>) in February that knocked it offline for two days; and the other was an attack on [a wind-and-solar power plant](<https://threatpost.com/solar-wind-power-utility-cyberattack/149816/>) last November. Loss of view means that the organization loses the ability to monitor the current status of its physical systems.\n\nNeray said in an interview with Threatpost at the time that \u201cif an attacker wanted to shut down parts of the grid, one of their first steps might be precisely this loss-of-view step, because it would leave utility operators \u2018blind\u2019 to subsequent disruptive actions the attackers would take, such as switching relays off to halt the flow of electricity.\u201d\n\n## **Triconex Redux\u2026and a Critical Bug**\n\nCorresponding with the NSA/CISA alert is an ICS-CERT advisory about a handful of bugs, one critical and ranking 10 out of 10 on the CvSS vulnerability-severity scale, in Triconex SIS equipment from Schneider.\n\n\u201cSuccessful exploitation of these vulnerabilities may allow an attacker to view clear text data on the network, cause a denial-of-service condition or allow improper access,\u201d according to the document.\n\nThe disclosure is concerning, given the targeting of this Triconex SIS in the past. In 2017, a Middle Eastern oil and gas petrochemical facility was [hit with a malware called TRITON](<https://threatpost.com/triton-ics-malware-second-victim/143658/>) (also TRISIS or HatMan), which exceeded other industrial cyberattacks because it directly interacted with and controlled the Triconex SIS. Because the SIS is the last line of automated safety defense for industrial facilities (i.e., protection functions meant to safeguard human lives) shutting it down paves the way for a destructive, physical attack that\u2019s unhampered by failsafe mechanisms. In the case of the TRITON attack, that next stage thankfully never came \u2013 the attack was manually thwarted before it could get that far.\n\nThe new crop of bugs impact TriStation 1131, v1.0.0 to v4.9.0, v4.10.0, and 4.12.0, operating on Windows NT, Windows XP or Windows 7; and Tricon Communications Module (TCM) Models 4351, 4352, 4351A/B, and 4352A/B installed in Tricon v10.0 to v10.5.3 systems. Current and more recent versions are not exposed to these specific vulnerabilities \u2013 but many ICS installations are still running legacy versions.\n\nThe critical bug (CVE-2020-7491) is an improper access control flaw: \u201cA legacy debug port account in TCMs installed in Tricon system Versions 10.2.0 through 10.5.3 is visible on the network and could allow inappropriate access.\u201d\n\nThere are also four, less-severe issues. The bug tracked as CVE-2020-7484 (severity rating of 7.5) allows uncontrolled resource consumption, according to ICS-CERT: \u201cA vulnerability related to the password feature in TriStation 1131 Versions 1.0 through 4.12.0 could allow a denial-of-service attack if the user is not following documented guidelines pertaining to dedicated TriStation 1131 connection and key-switch protection.\u201d\n\nMeanwhile, an uncontrolled resource consumption bug (CVE-2020-7486), also with a CvSS score of 7.5, could cause TCMs installed in Tricon system Versions 10.0.0 through 10.4.x to reset when under high network load. This reset could result in a denial of service behavior with the SIS.\n\nAnother bug (CVE-2020-7485) is a hidden-functionality issue, severity rating of 5.5: \u201cA vulnerability related to a legacy support account in TriStation 1131 versions 1.0 through 4.9.0 and 4.10.0 could allow inappropriate access to the TriStation 1131 project file.\u201d\n\nAnd finally, CVE-2020-7483 (severity rating of 5.3) allows cleartext transmission of sensitive information. \u201cA vulnerability related to the \u201cpassword\u201d feature in TriStation 1131 Versions 1.0 through 4.12.0 could cause certain data to be visible on the network when the feature was enabled,\u201d according to the advisory.\n\nThe NSA/CISA alert urges patching and mitigations across the civilian and military OT landscape, and offered steps to take within the advisory.\n\n\u201cOT assets are critical to the Department of Defense (DoD) mission and underpin essential National Security Systems (NSS) and services, as well as the Defense Industrial Base (DIB) and other critical infrastructure,\u201d it reads. \u201cAt this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take\u2026immediate steps to ensure resilience and safety of U.S. systems should a time of crisis emerge in the near term.\u201d\n\n_**Complimentary Threatpost Webinar**: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c**[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)**\u201d brings top cloud-security experts together to explore how **Confidential**** Computing** is a game changer for securing dynamic cloud data and preventing IP exposure. Join us **[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) **for this** FREE **live webinar._\n", "published": "2020-07-24T16:32:45", "modified": "2020-07-24T16:32:45", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://threatpost.com/nsa-urgent-warning-industrial-cyberattacks-triconex/157723/", "reporter": "Tara Seals", "references": ["https://us-cert.cisa.gov/ics/advisories/icsa-20-205-01", "https://threatpost.com/newsletter-sign/", "https://us-cert.cisa.gov/ncas/alerts/aa20-205a", "https://threatpost.com/understanding-triton-and-the-missing-final-stage-of-the-attack/134895/", "https://threatpost.com/pipeline-disrupted-ransomware-attack/153049/", "https://threatpost.com/solar-wind-power-utility-cyberattack/149816/", "https://threatpost.com/triton-ics-malware-second-victim/143658/", "https://attendee.gotowebinar.com/register/3844090971254297614?source=art", "https://attendee.gotowebinar.com/register/3844090971254297614?source=art"], "cvelist": ["CVE-2020-7483", "CVE-2020-7484", "CVE-2020-7485", "CVE-2020-7486", "CVE-2020-7491"], "lastseen": "2020-07-30T21:46:45", "viewCount": 38, "enchantments": {"dependencies": {"references": [{"type": "ics", "idList": ["ICSA-20-205-01"]}, {"type": "cve", "idList": ["CVE-2020-7491", "CVE-2020-7485", "CVE-2020-7486", "CVE-2020-7484", "CVE-2020-7483"]}, {"type": "threatpost", "idList": ["THREATPOST:F58486DCB93ECECAE7D0D05242BCC68B", "THREATPOST:3B140B0A0658EDFDC7BF59FBC8A5D623", "THREATPOST:E5A2ECF499BF7EBE2F0368FD2D9528A7", "THREATPOST:57CE095068724AB97614A2F0FC5EEB14"]}], "modified": "2020-07-30T21:46:45", "rev": 2}, "score": {"value": 5.3, "vector": "NONE", "modified": "2020-07-30T21:46:45", "rev": 2}, "vulnersScore": 5.3}}

{"ics": [{"lastseen": "2021-02-27T19:49:06", "bulletinFamily": "info", "cvelist": ["CVE-2020-7483", "CVE-2020-7484", "CVE-2020-7485", "CVE-2020-7486", "CVE-2020-7491"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 10.0**\n * ATTENTION: Exploitable remotely/low skill level to exploit\n * Vendor: Schneider Electric\n * Equipment: Triconex TriStation and Triconex Tricon Communication Module\n * Vulnerabilities: Cleartext Transmission of Sensitive Information, Uncontrolled Resource Consumption, Hidden Functionality, Improper Access Control\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities may allow an attacker to view clear text data on the network, cause a denial-of-service condition, or allow improper access.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nSchneider Electric has discovered and remediated multiple vulnerabilities affecting the following legacy versions of its Triconex brand safety instrumented system: \n\n * TriStation 1131, v1.0.0 to v4.9.0, v4.10.0, and 4.12.0, operating on Windows NT, Windows XP, or Windows 7.\n * Tricon Communications Module (TCM) Models 4351, 4352, 4351A/B, and 4352A/B installed in Tricon v10.0 to v10.5.3 systems.\n\nUsers of current and more recent versions of the identified firmware and software are not exposed to these specific vulnerabilities. \n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319](<https://cwe.mitre.org/data/definitions/319.html>)\n\nA vulnerability related to the \"password\" feature in TriStation 1131 Versions 1.0 through 4.12.0 could cause certain data to be visible on the network when the feature was enabled.\n\n[CVE-2020-7483](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7483>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.2 [UNCONTROLLED RESOURCE CONSUMPTION CWE-400](<https://cwe.mitre.org/data/definitions/400.html>)\n\nA vulnerability related to the \"password\" feature in TriStation 1131 Versions 1.0 through 4.12.0 could allow a denial of service attack if the user is not following documented guidelines pertaining to dedicated TriStation 1131 connection and key-switch protection. \n\n[CVE-2020-7484](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7484>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n#### 3.2.3 [HIDDEN FUNCTIONALITY CWE-912](<https://cwe.mitre.org/data/definitions/912.html>)\n\nA vulnerability related to a legacy support account in TriStation 1131 versions 1.0 through 4.9.0 and 4.10.0 could allow inappropriate access to the TriStation 1131 project file. \n\n[CVE-2020-7485](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7485>) has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is ([AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.4 [UNCONTROLLED RESOURCE CONSUMPTION CWE-400](<https://cwe.mitre.org/data/definitions/400.html>)\n\nA vulnerability could cause TCMs installed in Tricon system Versions 10.0.0 through 10.4.x to reset when under high network load. This reset could result in a denial of service behavior with the SIS.\n\n[CVE-2020-7486](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7486>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n#### 3.2.5 [IMPROPER ACCESS CONTROL CWE-284](<https://cwe.mitre.org/data/definitions/284.html>)\n\nA legacy debug port account in TCMs installed in Tricon system Versions 10.2.0 through 10.5.3 is visible on the network and could allow inappropriate access.\n\n[CVE-2020-7491](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7491>) has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Multiple Sectors\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** France\n\n### 3.4 RESEARCHER\n\nCISA would like to thank Schneider Electric and Reid Wightman, Dragos, Inc., for their efforts leading to this public disclosure.\n\n## 4\\. MITIGATIONS\n\nSchneider Electric released TriStation v4.9.1 and v4.10.1 on May 30, 2013 and 4.13.0 on January 26, 2015 to address these issues. Tricon v10.5.0 was released on August 13, 2009 and v10.5.4 on February 2, 2012 to address the issues.\n\nSchneider Electric notified customers of updated product availability via direct-to-customer notification and fixed versions of these offers are available for download [here](<https://pasupport.schneider-electric.com/>).\n\nSchneider Electric strongly recommends following industry cybersecurity best practices:\n\n * Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.\n * Install physical controls so no unauthorized personnel can access industrial control and safety systems, components, peripheral equipment, and networks.\n * Place all controllers in locked cabinets and never leave them in the \u201cProgram\u201d mode.\n * Scan all methods of mobile data exchange with the isolated network, such as CDs, USB drives, etc., before use in the terminals or nodes connected to these networks.\n * Never allow laptops that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.\n * Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.\n * When remote access is required, use secure methods such as virtual private networks. Recognize that VPNs may have vulnerabilities and should therefore be updated to the most current version available. Also recognize that VPNs are only as secure as the connected devices.\n\nSchneider Electric continues to recommend users always implement the instructions in the \u201cSecurity Considerations,\u201d which include the following:\n\n * Ensure the cybersecurity features in Triconex solutions are always enabled.\n * Always deploy safety systems on isolated networks.\n * Secure all TriStation engineering workstations and never connect to any network other than the safety network.\n * Configure operator stations to display an alarm whenever the Tricon key switch is in the \u201cPROGRAM\u201d mode.\n\nPlease see the [Schneider Electric Security Bulletin \u2013 SESB-2020-105-01](<https://www.se.com/ww/en/download/document/SESB-2020-105-01/>) for more details of these vulnerabilities in legacy Triconex products.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://www.us-cert.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.gov](<https://www.us-cert.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.gov](<https://www.us-cert.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-20-205-01>); we'd welcome your feedback.\n", "modified": "2020-07-23T00:00:00", "published": "2020-07-23T00:00:00", "id": "ICSA-20-205-01", "href": "https://www.us-cert.gov/ics/advisories/icsa-20-205-01", "type": "ics", "title": "Schneider Electric Triconex TriStation and Tricon Communication Module", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-02-02T07:37:12", "description": "**VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability could cause certain data to be visible on the network when the 'password' feature is enabled. This vulnerability was discovered in and remediated in versions v4.9.1 and v4.10.1 on May 30, 2013. The 'password' feature is an additional optional check performed by TS1131 that it is connected to a specific controller. This data is sent as clear text and is visible on the network. This feature is not present in TriStation 1131 versions v4.9.1 and v4.10.1 through current. Therefore, the vulnerability is not present in these versions.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-16T19:15:00", "title": "CVE-2020-7483", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7483"], "modified": "2020-07-30T20:15:00", "cpe": [], "id": "CVE-2020-7483", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7483", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T07:37:12", "description": "**VERSION NOT SUPPORTED WHEN ASSIGNED** A legacy debug port account in TCMs installed in Tricon system versions 10.2.0 through 10.5.3 is visible on the network and could allow inappropriate access. This vulnerability was remediated in TCM version 10.5.4.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-07-23T21:15:00", "title": "CVE-2020-7491", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7491"], "modified": "2020-07-30T20:15:00", "cpe": [], "id": "CVE-2020-7491", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7491", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T07:37:12", "description": "**VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability could cause TCM modules to reset when under high network load in TCM v10.4.x and in system v10.3.x. This vulnerability was discovered and remediated in version v10.5.x on August 13, 2009. TCMs from v10.5.x and on will no longer exhibit this behavior.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-16T19:15:00", "title": "CVE-2020-7486", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7486"], "modified": "2020-07-30T20:15:00", "cpe": ["cpe:/o:se:tricon_tcm_4352_firmware:10.4.x", "cpe:/o:se:tricon_tcm_4352_firmware:10.3.x", "cpe:/o:se:tricon_tcm_4352b_firmware:10.3.x", "cpe:/o:se:tricon_tcm_4351b_firmware:10.3.x", "cpe:/o:se:tricon_tcm_4352a_firmware:10.4.x", "cpe:/o:se:tricon_tcm_4351a_firmware:10.3.x", "cpe:/o:se:tricon_tcm_4351_firmware:10.3.x", "cpe:/o:se:tricon_tcm_4351_firmware:10.4.x", "cpe:/o:se:tricon_tcm_4351a_firmware:10.4.x", "cpe:/o:se:tricon_tcm_4351b_firmware:10.4.x", "cpe:/o:se:tricon_tcm_4352b_firmware:10.4.x", "cpe:/o:se:tricon_tcm_4352a_firmware:10.3.x"], "id": "CVE-2020-7486", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7486", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:se:tricon_tcm_4352a_firmware:10.3.x:*:*:*:*:*:*:*", "cpe:2.3:o:se:tricon_tcm_4352_firmware:10.3.x:*:*:*:*:*:*:*", "cpe:2.3:o:se:tricon_tcm_4351a_firmware:10.4.x:*:*:*:*:*:*:*", "cpe:2.3:o:se:tricon_tcm_4351b_firmware:10.4.x:*:*:*:*:*:*:*", "cpe:2.3:o:se:tricon_tcm_4351b_firmware:10.3.x:*:*:*:*:*:*:*", "cpe:2.3:o:se:tricon_tcm_4351_firmware:10.4.x:*:*:*:*:*:*:*", "cpe:2.3:o:se:tricon_tcm_4352a_firmware:10.4.x:*:*:*:*:*:*:*", "cpe:2.3:o:se:tricon_tcm_4351_firmware:10.3.x:*:*:*:*:*:*:*", "cpe:2.3:o:se:tricon_tcm_4352b_firmware:10.4.x:*:*:*:*:*:*:*", "cpe:2.3:o:se:tricon_tcm_4352b_firmware:10.3.x:*:*:*:*:*:*:*", "cpe:2.3:o:se:tricon_tcm_4352_firmware:10.4.x:*:*:*:*:*:*:*", "cpe:2.3:o:se:tricon_tcm_4351a_firmware:10.3.x:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:37:12", "description": "**VERSION NOT SUPPORTED WHEN ASSIGNED** A legacy support account in the TriStation software version v4.9.0 and earlier could cause improper access to the TriStation host machine. This was addressed in TriStation version v4.9.1 and v4.10.1 released on May 30, 2013.1", "edition": 9, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-16T19:15:00", "title": "CVE-2020-7485", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7485"], "modified": "2020-07-30T20:15:00", "cpe": ["cpe:/a:schneider-electric:tristation_1131:4.9.0"], "id": "CVE-2020-7485", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7485", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:schneider-electric:tristation_1131:4.9.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:37:12", "description": "**VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability with the former 'password' feature could allow a denial of service attack if the user is not following documented guidelines pertaining to dedicated TriStation connection and key-switch protection. This vulnerability was discovered and remediated in versions v4.9.1 and v4.10.1 on May 30, 2013. This feature is not present in version v4.9.1 and v4.10.1 through current. Therefore, the vulnerability is not present in these versions.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-16T19:15:00", "title": "CVE-2020-7484", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7484"], "modified": "2020-07-30T20:15:00", "cpe": [], "id": "CVE-2020-7484", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7484", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": []}]}