ID

VAR-202204-0322


CVE

CVE-2022-23449


TITLE

SIMATIC Energy Manager Basic  and  SIMATIC Energy Manager PRO  Vulnerability in Uncontrolled Search Path Elements

Trust: 0.8

sources: JVNDB: JVNDB-2022-001570

DESCRIPTION

A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). A DLL Hijacking vulnerability could allow a local attacker to execute code with elevated privileges by placing a malicious DLL in one of the directories on the DLL search path. SIMATIC Energy Manager visualizes the energy flow and consumption values in the process in detail, assigns them to the relevant consumers or cost centers, and determines the reasons for changes

Trust: 2.25

sources: NVD: CVE-2022-23449 // JVNDB: JVNDB-2022-001570 // CNVD: CNVD-2022-28493 // VULMON: CVE-2022-23449

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-28493

AFFECTED PRODUCTS

vendor:siemensmodel:simatic energy manager basicscope:ltversion:7.3

Trust: 1.0

vendor:siemensmodel:simatic energy manager proscope:ltversion:7.3

Trust: 1.0

vendor:siemensmodel:simatic energy manager basicscope:eqversion:7.3

Trust: 1.0

vendor:siemensmodel:simatic energy manager proscope:eqversion:7.3

Trust: 1.0

vendor:シーメンスmodel:simatic energy manager proscope:eqversion:7.3 update 1

Trust: 0.8

vendor:シーメンスmodel:simatic energy manager basicscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic energy manager basic updatescope:ltversion:7.31

Trust: 0.6

vendor:siemensmodel:simatic energy manager pro updatescope:ltversion:7.31

Trust: 0.6

sources: CNVD: CNVD-2022-28493 // JVNDB: JVNDB-2022-001570 // NVD: CVE-2022-23449

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-23449
value: HIGH

Trust: 1.0

NVD: CVE-2022-23449
value: HIGH

Trust: 0.8

CNVD: CNVD-2022-28493
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202204-2944
value: HIGH

Trust: 0.6

VULMON: CVE-2022-23449
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-23449
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2022-28493
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2022-23449
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.3
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-23449
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-28493 // VULMON: CVE-2022-23449 // JVNDB: JVNDB-2022-001570 // CNNVD: CNNVD-202204-2944 // NVD: CVE-2022-23449

PROBLEMTYPE DATA

problemtype:CWE-427

Trust: 1.0

problemtype:Uncontrolled search path elements (CWE-427) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-001570 // NVD: CVE-2022-23449

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202204-2944

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202204-2944

PATCH

title:SSA-655554url:https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf

Trust: 0.8

title:Patch for Unknown Vulnerability in Siemens SIMATIC Energy Managerurl:https://www.cnvd.org.cn/patchInfo/show/329216

Trust: 0.6

title:Siemens SIMATIC Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=190116

Trust: 0.6

sources: CNVD: CNVD-2022-28493 // JVNDB: JVNDB-2022-001570 // CNNVD: CNNVD-202204-2944

EXTERNAL IDS

db:NVDid:CVE-2022-23449

Trust: 3.9

db:SIEMENSid:SSA-655554

Trust: 2.3

db:ICS CERTid:ICSA-22-104-11

Trust: 1.5

db:JVNid:JVNVU91165555

Trust: 0.8

db:JVNDBid:JVNDB-2022-001570

Trust: 0.8

db:CNVDid:CNVD-2022-28493

Trust: 0.6

db:CS-HELPid:SB2022041913

Trust: 0.6

db:CNNVDid:CNNVD-202204-2944

Trust: 0.6

db:VULMONid:CVE-2022-23449

Trust: 0.1

sources: CNVD: CNVD-2022-28493 // VULMON: CVE-2022-23449 // JVNDB: JVNDB-2022-001570 // CNNVD: CNNVD-202204-2944 // NVD: CVE-2022-23449

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf

Trust: 2.3

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-104-11

Trust: 0.9

url:https://jvn.jp/vu/jvnvu91165555/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-23449

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022041913

Trust: 0.6

url:https://vigilance.fr/vulnerability/simatic-energy-manager-three-vulnerabilities-38020

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-104-11

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-23449/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/427.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2022-28493 // VULMON: CVE-2022-23449 // JVNDB: JVNDB-2022-001570 // CNNVD: CNNVD-202204-2944 // NVD: CVE-2022-23449

CREDITS

Noam Moshe of Claroty reported these vulnerabilities to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202204-2944

SOURCES

db:CNVDid:CNVD-2022-28493
db:VULMONid:CVE-2022-23449
db:JVNDBid:JVNDB-2022-001570
db:CNNVDid:CNNVD-202204-2944
db:NVDid:CVE-2022-23449

LAST UPDATE DATE

2024-08-14T13:42:55.123000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-28493date:2022-04-13T00:00:00
db:VULMONid:CVE-2022-23449date:2022-04-19T00:00:00
db:JVNDBid:JVNDB-2022-001570date:2022-04-22T06:27:00
db:CNNVDid:CNNVD-202204-2944date:2022-04-20T00:00:00
db:NVDid:CVE-2022-23449date:2022-04-19T16:09:44.513

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-28493date:2022-04-13T00:00:00
db:VULMONid:CVE-2022-23449date:2022-04-12T00:00:00
db:JVNDBid:JVNDB-2022-001570date:2022-04-22T00:00:00
db:CNNVDid:CNNVD-202204-2944date:2022-04-12T00:00:00
db:NVDid:CVE-2022-23449date:2022-04-12T09:15:14.297