CVE-2020-15785

A vulnerability has been identified in Siveillance Video Client (All versions). In environments where Windows NTLM authentication is enabled the affected client application transmits usernames to the server in cleartext. This could allow an attacker in a privileged network position to obtain valid adminstrator login names and use this information to launch further attacks.

CVSS v3 5.3 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-770698.pdf	Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-252-05	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:siemens:siveillance_video_client:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-09-09 19:15

Updated : 2024-02-28 17:47

NVD link : CVE-2020-15785

Mitre link : CVE-2020-15785

CVE.ORG link : CVE-2020-15785

JSON object : View

Products Affected

siemens

siveillance_video_client

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2020-15785", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2020-09-09T19:15:19.587", "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-770698.pdf", "tags": ["Vendor Advisory"], "source": "productcert@siemens.com"}, {"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-252-05", "tags": ["Third Party Advisory", "US Government Resource"], "source": "productcert@siemens.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-319"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Siveillance Video Client (All versions). In environments where Windows NTLM authentication is enabled the affected client application transmits usernames to the server in cleartext. This could allow an attacker in a privileged network position to obtain valid adminstrator login names and use this information to launch further attacks."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Siveillance Video Client (todas las versiones). En entornos donde la autenticaci\u00f3n NTLM de Windows est\u00e1 habilitada, la aplicaci\u00f3n cliente afectada transmite los nombres de usuario al servidor en texto sin cifrar. Esto podr\u00eda permitir a un atacante en una posici\u00f3n de red privilegiada obtener nombres de inicio de sesi\u00f3n de administrador v\u00e1lidos y use esta informaci\u00f3n para iniciar nuevos ataques."}], "lastModified": "2023-01-27T18:21:38.310", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siemens:siveillance_video_client:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7CE8B8B3-22F1-4997-AEE3-EEAF4675D417"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}