Lucene search

ZephyrCVELIST:CVE-2020-10059

HistoryMay 11, 2020 - 10:26 p.m.

CVE-2020-10059 UpdateHub Module Explicitly Disables TLS Verification

2020-05-1122:26:16

CWE-295

zephyr

www.cve.org

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

41.4%

JSON

The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking. See NCC-ZEP-018 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions.

CNA Affected

[
  {
    "product": "zephyr",
    "vendor": "zephyrproject-rtos",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "2.1.0",
        "versionType": "custom"
      }
    ]
  }
]

References

docs.zephyrproject.org/latest/security/vulnerabilities.html#cve-2020-10059

github.com/zephyrproject-rtos/zephyr/pull/24954

github.com/zephyrproject-rtos/zephyr/pull/24997

github.com/zephyrproject-rtos/zephyr/pull/24999

zephyrprojectsec.atlassian.net/browse/ZEPSEC-36

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

41.4%

JSON

Related for CVELIST:CVE-2020-10059