Published: 25/02/2020 Updated: 27/02/2020

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Gurux GXDLMS Director before 8.5.1905.1301 downloads updates to add-ins and OBIS code over an unencrypted HTTP connection. A man-in-the-middle attacker can prompt the user to download updates by modifying the contents of gurux.fi/obis/files.xml and gurux.fi/updates/updates.xml. Then, the attacker can modify the contents of downloaded files. In the case of add-ins (if the user is using those), this will lead to code execution. In case of OBIS codes (which the user is always using as they are needed to communicate with the energy meters), this can lead to code execution when combined with CVE-2020-8810.

Vulnerable Product	Search on Vulmon	Subscribe to Product
gurux device language message specification director

CVE-2020-8809 and CVE-2020-8810

Multiple vulnerabilities in Gurux GXDLMS Director – remote code execution Gurux GXDLMS Director is an open-source Windows program for interacting with energy meters through the use of DLMS/COSEM protocol The software has a remote update functionality for add-in DLLs as well as for files containing OBIS codes (device-specific definitions needed to interact with the smart

CWE-494 https://github.com/seqred-s-a/gxdlmsdirector-cve https://seqred.pl/en/cve-gurux-gxdlms-director/https://nvd.nist.gov https://github.com/seqred-s-a/gxdlmsdirector-cve

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2020-8809

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect