CVE-2020-21990 – CVE-2020-21990 is an information disclosure vul... (How to Fix)

Q: What is the severity of CVE-2020-21990?

CVE-2020-21990 has a CVSS score of 7.5 (HIGH). CVE-2020-21990 is an information disclosure vulnerability in Emmanuel MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway that allows unauthenticated remote attackers to access sensitive information via specially crafted requests. This affects systems running version 0.2.40 of the software, potentially exposing configuration data, device information, or other sensitive details.

📋 TL;DR

CVE-2020-21990 is an information disclosure vulnerability in Emmanuel MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway that allows unauthenticated remote attackers to access sensitive information via specially crafted requests. This affects systems running version 0.2.40 of the software, potentially exposing configuration data, device information, or other sensitive details.

💻 Affected Systems

Products:

Emmanuel MyDomoAtHome (MDAH) REST API Domoticz ISS Gateway

Versions: 0.2.40

Operating Systems: Any OS running the affected software

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 0.2.40 are vulnerable by default due to improper access control enforcement.

📦 What is this software?

Mydomoathome by Domoticz

View all CVEs affecting Mydomoathome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full access to sensitive system information, device configurations, and potentially credentials, leading to complete system compromise or lateral movement within the network.

🟠

Likely Case

Unauthenticated attackers access configuration files, device lists, and system information that could be used for further attacks or reconnaissance.

🟢

If Mitigated

Proper authentication controls prevent unauthorized access, limiting exposure to authenticated users only.

🌐 Internet-Facing: HIGH - The vulnerability allows unauthenticated remote exploitation, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access, reducing exposure compared to internet-facing instances.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available, making exploitation trivial for attackers with network access to vulnerable systems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 0.2.40

Vendor Advisory: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5555.php

Restart Required: Yes

Instructions:

1. Upgrade to the latest version of MyDomoAtHome REST API Domoticz ISS Gateway. 2. Verify the version is greater than 0.2.40. 3. Restart the service to apply changes.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to the MDAH REST API to trusted IP addresses only

iptables -A INPUT -p tcp --dport [API_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [API_PORT] -j DROP

Reverse Proxy with Authentication

all

Place the API behind a reverse proxy with authentication requirements

🧯 If You Can't Patch

Implement strict network segmentation to isolate the vulnerable system from untrusted networks
Deploy a web application firewall (WAF) with rules to block unauthorized API requests

🔍 How to Verify

Check if Vulnerable:

Check if the system is running version 0.2.40 of MyDomoAtHome REST API Domoticz ISS Gateway and test for unauthenticated access to API endpoints.

Check Version:

Check the software documentation or configuration files for version information specific to your installation method

Verify Fix Applied:

Verify the version is greater than 0.2.40 and test that unauthenticated requests to sensitive API endpoints are properly rejected.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated requests to sensitive API endpoints
Multiple failed authentication attempts followed by successful unauthenticated access

Network Indicators:

Unusual traffic patterns to API endpoints from untrusted sources
Requests bypassing authentication mechanisms

SIEM Query:

source="mydomohome.log" AND (http_status=200 OR http_status=403) AND user="-" AND uri="/api/*"

📊 Metadata

CVE ID: CVE-2020-21990

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-863

Published: April 29, 2021

Last Updated: November 21, 2024

🔗 References

https://www.exploit-db.com/exploits/47824 Exploit,Third Party Advisory,VDB Entry
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5555.php Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/47824 Exploit,Third Party Advisory,VDB Entry
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5555.php Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-21990, you might also want to check these: