Details of VAR-202201-0604

ID

VAR-202201-0604

CVE

CVE-2022-23130

TITLE

Mitsubishi Electric products and multiple ICONICS Product out-of-bounds read vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-003878

DESCRIPTION

Buffer Over-read vulnerability in Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), ICONICS GENESIS64 versions 10.97 and prior and ICONICS Hyper Historian versions 10.97 and prior allows an attacker to cause a DoS condition in the database server by getting a legitimate user to import a configuration file containing specially crafted stored procedures into GENESIS64 or MC Works64 and execute commands against the database from GENESIS64 or MC Works64. Mitsubishi Electric MC Works64 , ICONICS GENESIS64 , ICONICS Hyper Historian Exists in an out-of-bounds read vulnerability.Service operation interruption (DoS) It may be in a state. Mitsubishi Electric MC Works64 is a set of data acquisition and monitoring and control system (SCADA) of Japan's Mitsubishi Electric (Mitsubishi Electric). Mitsubishi Electric MC Works64 has a security vulnerability that stems from a coding error in the SQL query engine memory allocation code that makes it possible to execute a series of SQL commands in a GENESIS64 system or MC Works64 system, which can cause the SQL query engine to crash and cause SQL Server Disabled. No detailed vulnerability details are currently provided

Trust: 2.25

sources: NVD: CVE-2022-23130 // JVNDB: JVNDB-2022-003878 // CNVD: CNVD-2022-08357 // VULMON: CVE-2022-23130

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-08357

AFFECTED PRODUCTS

vendor:	iconics	model:	genesis64	scope:	lte	version:	10.97	Trust: 1.0
vendor:	mitsubishielectric	model:	mc works64	scope:	gte	version:	10.95.201.23	Trust: 1.0
vendor:	mitsubishielectric	model:	mc works64	scope:	lte	version:	10.95.210.01	Trust: 1.0
vendor:	iconics	model:	hyper historian	scope:	lte	version:	10.97	Trust: 1.0
vendor:	iconics	model:	hyper historian	scope:	-	version:	-	Trust: 0.8
vendor:	三菱電機	model:	mc works64	scope:	eq	version:	4.00a (10.95.201.23) to 4.04e (10.95.210.01)	Trust: 0.8
vendor:	iconics	model:	genesis 64	scope:	-	version:	-	Trust: 0.8
vendor:	mitsubishi	model:	electric mc works64 <4.04e	scope:	eq	version:	(10.95.210.01)	Trust: 0.6

sources: CNVD: CNVD-2022-08357 // JVNDB: JVNDB-2022-003878 // NVD: CVE-2022-23130

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-23130
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-23130
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2022-08357
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202201-1789
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2022-23130
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-23130
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2022-08357
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-23130
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2022-23130
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-08357 // VULMON: CVE-2022-23130 // JVNDB: JVNDB-2022-003878 // CNNVD: CNNVD-202201-1789 // NVD: CVE-2022-23130

PROBLEMTYPE DATA

problemtype:	CWE-125	Trust: 1.0
problemtype:	Out-of-bounds read (CWE-125) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-003878 // NVD: CVE-2022-23130

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202201-1789

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202201-1789

PATCH

title:	Top Page Mitsubishi Electric Mitsubishi Electric Corporation	url:	https://iconics.com/	Trust: 0.8
title:	Patch for Mitsubishi Electric MC Works64 Buffer Overflow Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/317666	Trust: 0.6
title:	Mitsubishi Electric MC Works64 Buffer error vulnerability fix	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=179833	Trust: 0.6
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: CNVD: CNVD-2022-08357 // VULMON: CVE-2022-23130 // JVNDB: JVNDB-2022-003878 // CNNVD: CNNVD-202201-1789

EXTERNAL IDS

db:	NVD	id:	CVE-2022-23130	Trust: 3.9
db:	ICS CERT	id:	ICSA-22-020-01	Trust: 3.1
db:	JVN	id:	JVNVU95403720	Trust: 2.5
db:	JVNDB	id:	JVNDB-2022-003878	Trust: 0.8
db:	CNVD	id:	CNVD-2022-08357	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0311	Trust: 0.6
db:	CS-HELP	id:	SB2022012108	Trust: 0.6
db:	CNNVD	id:	CNNVD-202201-1789	Trust: 0.6
db:	VULMON	id:	CVE-2022-23130	Trust: 0.1

sources: CNVD: CNVD-2022-08357 // VULMON: CVE-2022-23130 // JVNDB: JVNDB-2022-003878 // CNNVD: CNNVD-202201-1789 // NVD: CVE-2022-23130

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01	Trust: 2.3
url:	https://jvn.jp/vu/jvnvu95403720/index.html	Trust: 1.7
url:	https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-028_en.pdf	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2022-23130	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu95403720/	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-22-020-01	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01	Trust: 0.7
url:	https://www.auscert.org.au/bulletins/esb-2022.0311	Trust: 0.6
url:	https://vigilance.fr/vulnerability/iconics-genesis64-four-vulnerabilities-37339	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022012108	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/125.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: CNVD: CNVD-2022-08357 // VULMON: CVE-2022-23130 // JVNDB: JVNDB-2022-003878 // CNNVD: CNNVD-202201-1789 // NVD: CVE-2022-23130

CREDITS

ICONICS and Mitsubishi Electric reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202201-1789

SOURCES

db:	CNVD	id:	CNVD-2022-08357
db:	VULMON	id:	CVE-2022-23130
db:	JVNDB	id:	JVNDB-2022-003878
db:	CNNVD	id:	CNNVD-202201-1789
db:	NVD	id:	CVE-2022-23130

LAST UPDATE DATE

2024-11-23T21:33:22.155000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-08357	date:	2022-06-13T00:00:00
db:	VULMON	id:	CVE-2022-23130	date:	2022-01-27T00:00:00
db:	JVNDB	id:	JVNDB-2022-003878	date:	2023-03-10T03:05:00
db:	CNNVD	id:	CNNVD-202201-1789	date:	2022-02-14T00:00:00
db:	NVD	id:	CVE-2022-23130	date:	2024-11-21T06:48:03.700

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-08357	date:	2022-02-05T00:00:00
db:	VULMON	id:	CVE-2022-23130	date:	2022-01-21T00:00:00
db:	JVNDB	id:	JVNDB-2022-003878	date:	2023-03-10T00:00:00
db:	CNNVD	id:	CNNVD-202201-1789	date:	2022-01-20T00:00:00
db:	NVD	id:	CVE-2022-23130	date:	2022-01-21T19:15:10.080