CVE-2020-12027
published 2020-07-20CVE-2020-12027: All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to…
PriorityP344medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EXPLOIT
EPSS
53.02%
98.8th percentile
All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwell_automation | factorytalk_view_se | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2020-12027 is an information disclosure vulnerability in all versions of Rockwell Automation FactoryTalk View SE that exposes hostnames and file paths to remote authenticated attackers; monitor for authenticated HTTP/HTTPS requests to FactoryTalk View SE endpoints that return hostname or file path data to low-privileged users. ↗
- →CVE-2020-12027 is chained with four other vulnerabilities (CVE-2020-12029, CVE-2020-12028, CVE-2020-12031, and a race condition) in a full unauthenticated RCE exploit chain against FactoryTalk View SE; detection of any one of these CVEs should trigger investigation of the full chain. ↗
- →The full exploit chain (including CVE-2020-12027 info leak) was weaponized in a public Metasploit module targeting FactoryTalk View SE as the IIS user; hunt for IIS process anomalies on FactoryTalk View SE hosts. ↗
- ·All versions of FactoryTalk View SE are affected by CVE-2020-12027; there is no version-based scoping for detection — any deployment is in scope. ↗
- ·At time of CISA advisory publication, no known public exploits specifically targeted CVE-2020-12027 in isolation, but it was used as a component of a chained exploit demonstrated at Pwn2Own Miami 2020. ↗
- ·CVSS v3 score for CVE-2020-12027 is 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), indicating network-reachable, low-privilege, no-interaction required — but impact is limited to confidentiality (information disclosure only). ↗
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6p27-p48f-vh67: All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system
ghsa_unreviewed·2022-05-24
CVE-2020-12027 [MEDIUM] CWE-200 GHSA-6p27-p48f-vh67: All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system
All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs.
CISA ICS
Rockwell Automation FactoryTalk View SE
cisa_ics·2020-06-18·CVSS 9.0
[CRITICAL] Rockwell Automation FactoryTalk View SE
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Rockwell Automation FactoryTalk View SE
Last RevisedJune 18, 2020
Alert CodeICSA-20-170-05
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.0
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Rockwell Automation
- Equipment: FactoryTalk View SE
- Vulnerabilities: Improper Input Validation, Improper Restriction of Operations Within The Bounds of a Memory Buffer, Permissions, Privileges, and Access Controls, Exposure of Sensitive Information to an Unauthorized Actor
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities may allow a remote authenticate
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.htmlhttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.htmlhttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05
2020-07-20
Published