SB2020072907 - Multiple vulnerabilities in Secomea GateManager
Published: July 29, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper Neutralization of Null Byte or NUL Character (CVE-ID: CVE-2020-14500)
The vulnerability allows a remote attacker to overwrite arbitrary data.
The vulnerability exists due to the affected software does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. A remote attacker can send a negative value and overwrite arbitrary data on the target system.
2) Off-by-one (CVE-ID: CVE-2020-14508)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an off-by-one error. A remote attacker can trigger an off-by-one error and execute arbitrary code on the target system or cause a denial of service (DoS) condition.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Use of hard-coded credentials (CVE-ID: CVE-2020-14510)
The vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Use of Password Hash With Insufficient Computational Effort (CVE-ID: CVE-2020-14512)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected product uses a weak hash type. A remote attacker can view user passwords.
Remediation
Install update from vendor's website.