CVE-2020-5802

An attacker-controlled memory allocation size can be passed to the C++ new operator in RnaDaSvr.dll by sending a specially crafted ConfigureItems message to TCP port 4241. This will cause an unhandled exception, resulting in termination of RSLinxNG.exe. Observed in FactoryTalk 6.11. All versions of FactoryTalk Linx are affected.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://www.tenable.com/security/research/tra-2020-71	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:rockwellautomation:factorytalk_linx:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-12-29 16:15

Updated : 2024-02-28 18:08

NVD link : CVE-2020-5802

Mitre link : CVE-2020-5802

CVE.ORG link : CVE-2020-5802

JSON object : View

Products Affected

rockwellautomation

factorytalk_linx

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2020-5802", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-12-29T16:15:14.840", "references": [{"url": "https://www.tenable.com/security/research/tra-2020-71", "tags": ["Third Party Advisory"], "source": "vulnreport@tenable.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "An attacker-controlled memory allocation size can be passed to the C++ new operator in RnaDaSvr.dll by sending a specially crafted ConfigureItems message to TCP port 4241. This will cause an unhandled exception, resulting in termination of RSLinxNG.exe. Observed in FactoryTalk 6.11. All versions of FactoryTalk Linx are affected."}, {"lang": "es", "value": "Un tama\u00f1o de asignaci\u00f3n de memoria controlado por el atacante puede ser pasado al nuevo operador de C++ en la biblioteca RnaDaSvr.dll mediante el env\u00edo de un mensaje ConfigureItems especialmente dise\u00f1ado hacia el puerto TCP 4241. Esto causar\u00e1 una excepci\u00f3n no manejada, resultando en la terminaci\u00f3n del archivo RSLinxNG.exe. Observado en FactoryTalk versi\u00f3n 6.11. Todas las versiones de FactoryTalk Linx est\u00e1n afectadas"}], "lastModified": "2022-07-12T17:42:04.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rockwellautomation:factorytalk_linx:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89622117-4485-4204-A5DA-B72F7F13D353", "versionEndIncluding": "6.11"}], "operator": "OR"}]}], "sourceIdentifier": "vulnreport@tenable.com"}