Sign-up

ID

VAR-202201-0603


CVE

CVE-2022-23128


TITLE

Mitsubishi Electric products and multiple  ICONICS  Product vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2022-003883

DESCRIPTION

Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI versions 10.95.3 to 10.97 allows a remote unauthenticated attacker to bypass the authentication of MC Works64, GENESIS64, Hyper Historian, AnalytiX and MobileHMI, and gain unauthorized access to the products, by sending specially crafted WebSocket packets to FrameWorX server, one of the functions of the products. Mitsubishi Electric products and multiple ICONICS There are unspecified vulnerabilities in the product.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Mitsubishi Electric MC Works64 is a set of data acquisition and monitoring and control system (SCADA) of Japan's Mitsubishi Electric (Mitsubishi Electric). A security vulnerability exists in Mitsubishi Electric MC Works64 that originates in the ICONICS and Mitsubishi Electric ICONICS product suites. The FrameWorX server in the Mitsubishi Electric MC Works64 product could allow an attacker to exploit the vulnerability to open a WebSocket endpoint (port 80 or 443) when bypassing GENESIS64 MC Works64 security. No detailed vulnerability details are currently provided

Trust: 2.25

sources: NVD: CVE-2022-23128 // JVNDB: JVNDB-2022-003883 // CNVD: CNVD-2022-08358 // VULMON: CVE-2022-23128

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-08358

AFFECTED PRODUCTS

vendor:iconicsmodel:mobilehmiscope:lteversion:10.97

Trust: 1.0

vendor:mitsubishielectricmodel:mc works64scope:gteversion:10.95.201.23

Trust: 1.0

vendor:iconicsmodel:genesis64scope:gteversion:10.95.3

Trust: 1.0

vendor:iconicsmodel:analytixscope:lteversion:10.97

Trust: 1.0

vendor:iconicsmodel:analytixscope:gteversion:10.95.3

Trust: 1.0

vendor:iconicsmodel:genesis64scope:lteversion:10.97

Trust: 1.0

vendor:iconicsmodel:hyper historianscope:gteversion:10.95.3

Trust: 1.0

vendor:iconicsmodel:mobilehmiscope:gteversion:10.95.3

Trust: 1.0

vendor:mitsubishielectricmodel:mc works64scope:lteversion:10.95.210.01

Trust: 1.0

vendor:iconicsmodel:hyper historianscope:lteversion:10.97

Trust: 1.0

vendor:iconicsmodel:hyper historianscope: - version: -

Trust: 0.8

vendor:三菱電機model:mc works64scope:eqversion:4.00a (10.95.201.23) to 4.04e (10.95.210.01)

Trust: 0.8

vendor:iconicsmodel:mobilehmiscope: - version: -

Trust: 0.8

vendor:iconicsmodel:analytixscope: - version: -

Trust: 0.8

vendor:iconicsmodel:genesis 64scope: - version: -

Trust: 0.8

vendor:mitsubishimodel:electric mc works64scope:gteversion:10.95.201.23,<=10.95.210.01

Trust: 0.6

sources: CNVD: CNVD-2022-08358 // JVNDB: JVNDB-2022-003883 // NVD: CVE-2022-23128

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-23128
value: CRITICAL

Trust: 1.0

NVD: CVE-2022-23128
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2022-08358
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202201-1829
value: CRITICAL

Trust: 0.6

VULMON: CVE-2022-23128
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2022-23128
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2022-08358
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2022-23128
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-23128
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-08358 // VULMON: CVE-2022-23128 // JVNDB: JVNDB-2022-003883 // CNNVD: CNNVD-202201-1829 // NVD: CVE-2022-23128

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:others (CWE-Other) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-003883 // NVD: CVE-2022-23128

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-1829

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202201-1829

PATCH

title:Top Page Mitsubishi Electric Mitsubishi Electric Corporationurl:https://iconics.com/

Trust: 0.8

title:Patch for Unknown Vulnerability in Mitsubishi Electric MC Works64url:https://www.cnvd.org.cn/patchInfo/show/317671

Trust: 0.6

title:Mitsubishi Electric MC Works64 Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=179152

Trust: 0.6

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: CNVD: CNVD-2022-08358 // VULMON: CVE-2022-23128 // JVNDB: JVNDB-2022-003883 // CNNVD: CNNVD-202201-1829

EXTERNAL IDS

db:NVDid:CVE-2022-23128

Trust: 3.9

db:ICS CERTid:ICSA-22-020-01

Trust: 3.1

db:JVNid:JVNVU95403720

Trust: 2.5

db:JVNDBid:JVNDB-2022-003883

Trust: 0.8

db:CNVDid:CNVD-2022-08358

Trust: 0.6

db:AUSCERTid:ESB-2022.0311

Trust: 0.6

db:CS-HELPid:SB2022012108

Trust: 0.6

db:CNNVDid:CNNVD-202201-1829

Trust: 0.6

db:VULMONid:CVE-2022-23128

Trust: 0.1

sources: CNVD: CNVD-2022-08358 // VULMON: CVE-2022-23128 // JVNDB: JVNDB-2022-003883 // CNNVD: CNNVD-202201-1829 // NVD: CVE-2022-23128

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01

Trust: 1.8

url:https://jvn.jp/vu/jvnvu95403720/index.html

Trust: 1.7

url:https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2022-23128

Trust: 1.4

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01

Trust: 1.2

url:https://jvn.jp/vu/jvnvu95403720/

Trust: 0.8

url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-020-01

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2022.0311

Trust: 0.6

url:https://vigilance.fr/vulnerability/iconics-genesis64-four-vulnerabilities-37339

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022012108

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/alphabugx/cve-2022-23305

Trust: 0.1

sources: CNVD: CNVD-2022-08358 // VULMON: CVE-2022-23128 // JVNDB: JVNDB-2022-003883 // CNNVD: CNNVD-202201-1829 // NVD: CVE-2022-23128

CREDITS

ICONICS and Mitsubishi Electric reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202201-1829

SOURCES

db:CNVDid:CNVD-2022-08358
db:VULMONid:CVE-2022-23128
db:JVNDBid:JVNDB-2022-003883
db:CNNVDid:CNNVD-202201-1829
db:NVDid:CVE-2022-23128

LAST UPDATE DATE

2024-11-23T21:33:22.067000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-08358date:2022-06-13T00:00:00
db:VULMONid:CVE-2022-23128date:2022-01-27T00:00:00
db:JVNDBid:JVNDB-2022-003883date:2023-03-10T03:20:00
db:CNNVDid:CNNVD-202201-1829date:2022-02-14T00:00:00
db:NVDid:CVE-2022-23128date:2024-11-21T06:48:03.407

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-08358date:2022-02-05T00:00:00
db:VULMONid:CVE-2022-23128date:2022-01-21T00:00:00
db:JVNDBid:JVNDB-2022-003883date:2023-03-10T00:00:00
db:CNNVDid:CNNVD-202201-1829date:2022-01-20T00:00:00
db:NVDid:CVE-2022-23128date:2022-01-21T19:15:09.977