CVE-2020-9045 : What You Need to Know

Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2 by Johnson Controls are affected by a vulnerability that logs user credentials during installation or upgrade, posing a critical security risk.

Understanding CVE-2020-9045

This CVE involves the cleartext storage of user credentials during software installation or upgrade, potentially exposing sensitive information.

What is CVE-2020-9045?

During the installation or upgrade of the affected software versions, user credentials used for the process are stored in a log file, which remains after the installation, leading to a security threat.

The Impact of CVE-2020-9045

The vulnerability has a CVSS base score of 9.9, indicating a critical severity level with high impacts on confidentiality, integrity, and availability of the systems.

Technical Details of CVE-2020-9045

This section provides detailed technical insights into the vulnerability.

Vulnerability Description

The issue involves the insecure storage of user credentials in a log file during the installation or upgrade process, creating a potential security breach.

Affected Systems and Versions

Software House C•CURE 9000 v2.70
American Dynamics victor Video Management System v5.2

Exploitation Mechanism

Attack Complexity: Low
Attack Vector: Network
Privileges Required: Low
Scope: Changed
User Interaction: None

Mitigation and Prevention

To address CVE-2020-9045, users should take immediate and long-term security measures.

Immediate Steps to Take

Upgrade to the latest software versions
Securely delete the log file from 'c:\ProgramData\Tyco\InstallerTemp'
Change the password for the affected user account

Long-Term Security Practices

Regularly monitor and audit system logs
Implement strong password policies
Conduct security training for users

Patching and Updates

Ensure all systems are updated to the latest versions to automatically remove the log file and mitigate the vulnerability.