9.1

CVE-2020-35685

EPSS 0.41%
Veröffentlicht 19.08.2021 12:15:08
Zuletzt bearbeitet 21.11.2024 05:27:50
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

An issue was discovered in HCC Nichestack 3.0. The code that generates Initial Sequence Numbers (ISNs) for TCP connections derives the ISN from an insufficiently random source. As a result, an attacker may be able to determine the ISN of current and future TCP connections and either hijack existing ones or spoof future ones. (Proper ISN generation should aim to follow at least the specifications outlined in RFC 6528.)

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hcc-embedded ≫ Nichestack Version3.0

Siemens ≫ Sentron 3wa Com190 Firmware Version < 2.0.0

Siemens ≫ Sentron 3wa Com190 Version-

Siemens ≫ Sentron 3wl Com35 Firmware Version < 1.2.0

Siemens ≫ Sentron 3wl Com35 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.41%	0.582

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:P/I:P/A:N

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

https://www.forescout.com/blog/new-critical-operational-technology-vulnerabilities-found-on-nichestack/

Third Party Advisory

Mitigation

https://www.kb.cert.org/vuls/id/608209

Third Party Advisory

US Government Resource

https://cert-portal.siemens.com/productcert/pdf/ssa-789208.pdf

Third Party Advisory

Mitigation

https://www.hcc-embedded.com

Product

https://nvd.nist.gov/vuln/detail/CVE-2020-35685

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-35685

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-35685

EUVD