Full Report
Inadequate Encryption Strength in Emerson OpenEnterprise SCADA versions before 3.3.4.
Analysis Summary
# Vulnerability: Inadequate Encryption Strength in Emerson OpenEnterprise SCADA
## CVE Details
- CVE ID: CVE-2020-10636
- CVSS Score: 0.0 (None - Note: The provided CVSS vector `CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N` calculates to 4.3 (Medium), but the article explicitly states **0.0**. We report the stated score while noting the calculated one for completeness if necessary, but strictly adhering to the provided text: **0.0**)
- CWE: Not explicitly listed in the summary text.
## Affected Systems
- Products: Emerson OpenEnterprise SCADA
- Versions: Versions before 3.3.4
- Configurations: Not specified beyond the product and version range.
## Vulnerability Description
The vulnerability exists due to inadequate encryption strength within the affected versions of the Emerson OpenEnterprise SCADA system. This flaw may allow an attacker to obtain the passwords for OpenEnterprise user accounts.
## Exploitation
- Status: PoC available (Stated as "Existence of exploit PoC")
- Complexity: Low (Exploit complexity: Low)
- Attack Vector: Local (AV:L from CVSS Vector)
## Impact
- Confidentiality: High (C:H from CVSS Vector)
- Integrity: None (I:N from CVSS Vector)
- Availability: None (A:N from CVSS Vector)
## Remediation
### Patches
- Upgrade to OpenEnterprise 3.3.5 (OpenEnterprise 3.3 Service Pack 5).
### Workarounds
- None explicitly listed by the vendor in this snippet, but the recommendation is an immediate upgrade.
## Detection
- Indicators of Compromise: Compromised OpenEnterprise user account passwords.
- Detection methods and tools: Not specified in the provided text, focus should be on verifying system upgrades.
## References
- Vendor Advisories: Vendor released patch in May 2020.
- Relevant links:
- hxxps://ics-cert.kaspersky.com/advisories/2020/05/20/klcert-20-011-inadequate-encryption-strength-in-emerson-openenterprise-scada-before-3-3-4/