Details of VAR-202203-0853

ID

VAR-202203-0853

CVE

CVE-2022-22141

TITLE

Yokogawa Exaopc Permission Licensing and Access Control Issue Vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202203-1159

DESCRIPTION

'Long-term Data Archive Package' service implemented in the following Yokogawa Electric products creates some named pipe with imporper ACL configuration. CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00

Trust: 0.99

sources: NVD: CVE-2022-22141 // VULHUB: VHN-414057

AFFECTED PRODUCTS

vendor:	yokogawa	model:	centum vp entry	scope:	gte	version:	r5.01.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp	scope:	gte	version:	r4.01.00	Trust: 1.0
vendor:	yokogawa	model:	centum cs 3000 entry	scope:	lte	version:	r3.09.00	Trust: 1.0
vendor:	yokogawa	model:	exaopc	scope:	lt	version:	r3.80.00	Trust: 1.0
vendor:	yokogawa	model:	exaopc	scope:	gte	version:	r3.72.00	Trust: 1.0
vendor:	yokogawa	model:	centum cs 3000 entry	scope:	gte	version:	r3.08.10	Trust: 1.0
vendor:	yokogawa	model:	centum vp entry	scope:	gte	version:	r4.01.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp entry	scope:	lte	version:	r5.04.20	Trust: 1.0
vendor:	yokogawa	model:	centum vp	scope:	lte	version:	r5.04.20	Trust: 1.0
vendor:	yokogawa	model:	centum cs 3000	scope:	lte	version:	r3.09.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp	scope:	lt	version:	r6.09.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp	scope:	lte	version:	r4.03.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp entry	scope:	lte	version:	r4.03.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp entry	scope:	gte	version:	r6.01.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp	scope:	gte	version:	r6.01.00	Trust: 1.0
vendor:	yokogawa	model:	centum cs 3000	scope:	gte	version:	r3.08.10	Trust: 1.0
vendor:	yokogawa	model:	centum vp entry	scope:	lt	version:	r6.09.00	Trust: 1.0
vendor:	yokogawa	model:	centum vp	scope:	gte	version:	r5.01.00	Trust: 1.0

sources: NVD: CVE-2022-22141

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-22141
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202203-1159
value:	HIGH
Trust: 0.6
VULHUB:	VHN-414057
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-22141
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-414057
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-22141
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-414057 // CNNVD: CNNVD-202203-1159 // NVD: CVE-2022-22141

PROBLEMTYPE DATA

problemtype:	CWE-269	Trust: 1.1
problemtype:	CWE-732	Trust: 1.0

sources: VULHUB: VHN-414057 // NVD: CVE-2022-22141

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202203-1159

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-202203-1159

PATCH

title:

Yokogawa Exaopc Fixes for permissions and access control issues vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=186759

Trust: 0.6

sources: CNNVD: CNNVD-202203-1159

EXTERNAL IDS

db:	NVD	id:	CVE-2022-22141	Trust: 1.7
db:	CS-HELP	id:	SB2022032906	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.1276	Trust: 0.6
db:	ICS CERT	id:	ICSA-22-083-01	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-1159	Trust: 0.6
db:	VULHUB	id:	VHN-414057	Trust: 0.1

sources: VULHUB: VHN-414057 // CNNVD: CNNVD-202203-1159 // NVD: CVE-2022-22141

REFERENCES

url:	https://web-material3.yokogawa.com/1/32094/files/ysar-22-0001-e.pdf	Trust: 1.7
url:	https://www.cybersecurity-help.cz/vdb/sb2022032906	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.1276	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-22141/	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-083-01	Trust: 0.6

sources: VULHUB: VHN-414057 // CNNVD: CNNVD-202203-1159 // NVD: CVE-2022-22141

CREDITS

Jacob Baines from Dragos reported these vulnerabilities to Yokogawa.

Trust: 0.6

sources: CNNVD: CNNVD-202203-1159

SOURCES

db:	VULHUB	id:	VHN-414057
db:	CNNVD	id:	CNNVD-202203-1159
db:	NVD	id:	CVE-2022-22141

LAST UPDATE DATE

2024-11-23T21:32:45.530000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-414057	date:	2022-03-18T00:00:00
db:	CNNVD	id:	CNNVD-202203-1159	date:	2022-03-30T00:00:00
db:	NVD	id:	CVE-2022-22141	date:	2024-11-21T06:46:14.647

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-414057	date:	2022-03-11T00:00:00
db:	CNNVD	id:	CNNVD-202203-1159	date:	2022-03-11T00:00:00
db:	NVD	id:	CVE-2022-22141	date:	2022-03-11T09:15:11.460