Vulnerability Details : CVE-2020-11650
Potential exploit
An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before 11.2-u8 and 11.3 before 11.3-U1. It allows a denial of service. The login authentication component has no limits on the length of an authentication message or the rate at which such messages are sent.
Vulnerability category: Denial of service
Products affected by CVE-2020-11650
- cpe:2.3:o:ixsystems:freenas_firmware:11.2:-:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.2:u1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.2:u2:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.2:u2.1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.2:u3:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.2:u4:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.2:u4.1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.2:u5:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.2:u5.1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.2:u6:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.2:u6.1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.2:u7:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.3:-:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.3:alpha1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.3:alpha2:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.3:beta1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.3:rc1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:freenas_firmware:11.3:rc2:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.2:-:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.2:u1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.2:u2:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.2:u2.1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.2:u3:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.2:u4:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.2:u4.1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.2:u5:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.2:u5.1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.2:u6:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.2:u6.1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.2:u7:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.3:-:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.3:alpha1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.3:alpha2:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.3:beta1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.3:rc1:*:*:*:*:*:*
- cpe:2.3:o:ixsystems:truenas_firmware:11.3:rc2:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11650
11.92%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 93 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11650
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-11650
-
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11650
-
https://jira.ixsystems.com/browse/NAS-104748
[NAS-104748] DOS vulnerability in FreeNAS - iX - Bug Tracker (Jira)Patch;Third Party Advisory
-
https://security.ixsystems.com/cves/2020-04-08-cve-2020-11650/
CVE-2020-11650 : Login DOS - TrueNASVendor Advisory
Jump to