[Japanese]

JVNDB-2020-000020

Multiple vulnerabilities in OpenBlocks IoT VX2

Overview

OpenBlocks IoT VX2 provided by Plat'Home Co., Ltd. contains multiple vulnerabilities.

Masahiro Murashima and Genta Kataoka of IERAE SECURITY INC. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2020-5535


CVSS V3 Severity:
Base Metrics: 5.4 (Medium) [IPA Score]
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics: 4.8 (Medium) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2020-5536
Affected Products


PlatHome
  • OpenBlocks IoT VX2 prior to Ver.4.0.0 (Ver.3 Series)

Impact

*An attacker who can access the device may execute an arbitrary OS command with root privileges - CVE-2020-5535
*An attacker who can access the device may bypass anthentication and initialize the device - CVE-2020-5536
Solution

[Update the Firmware]
Update to the latest version according to the information provided by the developer.
Vendor Information

PlatHome
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
  2. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5535
  2. CVE-2020-5536
References

  1. JVN : JVN#19666251
  2. National Vulnerability Database (NVD) : CVE-2020-5535
  3. National Vulnerability Database (NVD) : CVE-2020-5536
Revision History

  • [2020/03/03]
      Web page was published