CVE-2020-12069 — HIGH (7.8)

Q: How severe is CVE-2020-12069?

CVE-2020-12069 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-12069?

Check the references section above for vendor advisories and patch information. Affected products include: Pilz Pmc, Codesys Control For Beaglebone, Codesys Control For Empc-A\/Imx6, Codesys Control For Iot2000, Codesys Control For Linux.

Vulnerability Description

In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. This can be used by a local attacker with low privileges to gain full control of the device.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Pilz	Pmc	>= 3.0.0, < 3.5.17
Codesys	Control For Beaglebone	< 3.5.16.0
Codesys	Control For Empc-A\/Imx6	< 3.5.16.0
Codesys	Control For Iot2000	< 3.5.16.0
Codesys	Control For Linux	< 3.5.16.0
Codesys	Control For Pfc100	< 3.5.16.0
Codesys	Control For Pfc200	< 3.5.16.0
Codesys	Control For Plcnext	< 3.5.16.0
Codesys	Control For Raspberry Pi	< 3.5.16.0
Codesys	Control Rte V3	< 3.5.16.0
Codesys	Control V3 Runtime System Toolkit	< 3.5.16.0
Codesys	Control Win V3	< 3.5.16.0
Codesys	Hmi V3	< 3.5.16.0
Codesys	V3 Simulation Runtime	< 3.5.16.0
Festo	Controller Cecc-D Firmware	2.3.8.0
Festo	Controller Cecc-D	-
Festo	Controller Cecc-Lk Firmware	2.3.8.0
Festo	Controller Cecc-Lk	-
Festo	Controller Cecc-S Firmware	2.3.8.0
Festo	Controller Cecc-S	-

Related Weaknesses (CWE)

CWE-916

References

https://cert.vde.com/en/advisories/VDE-2021-061/Third Party Advisory
https://cert.vde.com/en/advisories/VDE-2022-022/Third Party Advisory
https://cert.vde.com/en/advisories/VDE-2022-031/Third Party Advisory
https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=12943&token=d097958a6Vendor Advisory
https://cert.vde.com/en/advisories/VDE-2021-061/Third Party Advisory
https://cert.vde.com/en/advisories/VDE-2022-022/Third Party Advisory
https://cert.vde.com/en/advisories/VDE-2022-031/Third Party Advisory
https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=12943&token=d097958a6Vendor Advisory

FAQ

What is CVE-2020-12069?

CVE-2020-12069 is a vulnerability with a CVSS score of 7.8 (HIGH). In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. This can ...

How severe is CVE-2020-12069?

CVE-2020-12069 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-12069?

Check the references section above for vendor advisories and patch information. Affected products include: Pilz Pmc, Codesys Control For Beaglebone, Codesys Control For Empc-A\/Imx6, Codesys Control For Iot2000, Codesys Control For Linux.