Missing Authentication for Critical Function in GE products - CVE-2020-12017

 

Missing Authentication for Critical Function in GE products - CVE-2020-12017

Published: June 3, 2020


Vulnerability identifier: #VU28548
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-12017
CWE-ID: CWE-306
Exploitation vector: Adjecent network
Exploit availability: No public exploit available
Vendor: GE
Affected software:
Reason RT430
Reason RT431
Reason RT434

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to an insufficient authentication mechanism in the web application. A remote attacker on the local network can send a specially crafted request to execute arbitrary commands, change the password of the "configuration" user account to modify the configuration of the device, or bypass the authentication required to configure the device and reboot the system. 


How to mitigate CVE-2020-12017

Install updates from vendor's website.

Sources