Details of VAR-202202-0307

ID

VAR-202202-0307

CVE

CVE-2022-21798

TITLE

GE Digital Made Proficy CIMPLICITY Vulnerability of plaintext communication of sensitive information in

Trust: 0.8

sources: JVNDB: JVNDB-2022-001376

DESCRIPTION

The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system. GE Digital Provided by the company HMI and SCADA Platform Proficy CIMPLICITY The vulnerability of plaintext communication of sensitive information ( CWE-319 , CVE-2022-21798 ) exists. CIMPLICITY Credentials are communicated in clear text over the network.Authentication information sent in plain text may be stolen and used to illegally control the device. GE CIMPLICITY is a client (server)-based HMI (SCADA) solution from General Electric (GE) in the United States. The solution can collect and share real-time and historical data between all levels of the enterprise, realizing process, equipment, Operational visualization of resource monitoring. There is an information leakage vulnerability in GEProficy CIMPLICITY. An attacker can use this vulnerability to log in to the system and perform unauthorized operations

Trust: 2.16

sources: NVD: CVE-2022-21798 // JVNDB: JVNDB-2022-001376 // CNVD: CNVD-2023-98795

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-98795

AFFECTED PRODUCTS

vendor:	ge	model:	cimplicity	scope:	eq	version:	*	Trust: 1.0
vendor:	ge デジタル	model:	proficy cimplicity	scope:	eq	version:	all s	Trust: 0.8
vendor:	ge デジタル	model:	proficy cimplicity	scope:	eq	version:	-	Trust: 0.8
vendor:	ge	model:	proficy cimplicity	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2023-98795 // JVNDB: JVNDB-2022-001376 // NVD: CVE-2022-21798

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-21798
value:	CRITICAL
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2022-21798
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-21798
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2023-98795
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202202-1761
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2022-21798
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2023-98795
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-21798
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2022-21798
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2022-001376
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2023-98795 // JVNDB: JVNDB-2022-001376 // CNNVD: CNNVD-202202-1761 // NVD: CVE-2022-21798 // NVD: CVE-2022-21798

PROBLEMTYPE DATA

problemtype:	CWE-319	Trust: 1.0
problemtype:	Sending important information in clear text (CWE-319) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-001376 // NVD: CVE-2022-21798

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202202-1761

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202202-1761

PATCH

title:	Secure Deployment Guide (Login required) GE Digital	url:	https://digitalsupport.ge.com/communities/cc_login?startURL=%2Fen_US%2FDocumentation%2FiFIX-Secure-Deployment-Guide	Trust: 0.8
title:	Patch for GE Proficy CIMPLICITY information leakage vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/358056	Trust: 0.6
title:	General Electric Proficy Cimplicity Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=185279	Trust: 0.6

sources: CNVD: CNVD-2023-98795 // JVNDB: JVNDB-2022-001376 // CNNVD: CNNVD-202202-1761

EXTERNAL IDS

db:	NVD	id:	CVE-2022-21798	Trust: 3.8
db:	ICS CERT	id:	ICSA-22-053-02	Trust: 2.4
db:	JVN	id:	JVNVU96846804	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-001376	Trust: 0.8
db:	CNVD	id:	CNVD-2023-98795	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0787	Trust: 0.6
db:	CS-HELP	id:	SB2022022305	Trust: 0.6
db:	CNNVD	id:	CNNVD-202202-1761	Trust: 0.6

sources: CNVD: CNVD-2023-98795 // JVNDB: JVNDB-2022-001376 // CNNVD: CNNVD-202202-1761 // NVD: CVE-2022-21798

REFERENCES

url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-02	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21798	Trust: 2.0
url:	https://jvn.jp/vu/jvnvu96846804/	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-21798/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022022305	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0787	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-053-02	Trust: 0.6

sources: CNVD: CNVD-2023-98795 // JVNDB: JVNDB-2022-001376 // CNNVD: CNNVD-202202-1761 // NVD: CVE-2022-21798

CREDITS

Users are advised to refer to the

Trust: 0.6

sources: CNNVD: CNNVD-202202-1761

SOURCES

db:	CNVD	id:	CNVD-2023-98795
db:	JVNDB	id:	JVNDB-2022-001376
db:	CNNVD	id:	CNNVD-202202-1761
db:	NVD	id:	CVE-2022-21798

LAST UPDATE DATE

2024-11-23T22:57:48.816000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-98795	date:	2023-12-19T00:00:00
db:	JVNDB	id:	JVNDB-2022-001376	date:	2024-06-20T09:00:00
db:	CNNVD	id:	CNNVD-202202-1761	date:	2022-03-09T00:00:00
db:	NVD	id:	CVE-2022-21798	date:	2024-11-21T06:45:27.413

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-98795	date:	2022-10-20T00:00:00
db:	JVNDB	id:	JVNDB-2022-001376	date:	2022-02-28T00:00:00
db:	CNNVD	id:	CNNVD-202202-1761	date:	2022-02-22T00:00:00
db:	NVD	id:	CVE-2022-21798	date:	2022-02-25T19:15:23.723