Details of VAR-202204-0322

ID

VAR-202204-0322

CVE

CVE-2022-23449

TITLE

SIMATIC Energy Manager Basic and SIMATIC Energy Manager PRO Vulnerability in Uncontrolled Search Path Elements

Trust: 0.8

sources: JVNDB: JVNDB-2022-001570

DESCRIPTION

A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). A DLL Hijacking vulnerability could allow a local attacker to execute code with elevated privileges by placing a malicious DLL in one of the directories on the DLL search path. SIMATIC Energy Manager visualizes the energy flow and consumption values in the process in detail, assigns them to the relevant consumers or cost centers, and determines the reasons for changes

Trust: 2.25

sources: NVD: CVE-2022-23449 // JVNDB: JVNDB-2022-001570 // CNVD: CNVD-2022-28493 // VULMON: CVE-2022-23449

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-28493

AFFECTED PRODUCTS

vendor:	siemens	model:	simatic energy manager basic	scope:	lt	version:	7.3	Trust: 1.0
vendor:	siemens	model:	simatic energy manager pro	scope:	lt	version:	7.3	Trust: 1.0
vendor:	siemens	model:	simatic energy manager basic	scope:	eq	version:	7.3	Trust: 1.0
vendor:	siemens	model:	simatic energy manager pro	scope:	eq	version:	7.3	Trust: 1.0
vendor:	シーメンス	model:	simatic energy manager pro	scope:	eq	version:	7.3 update 1	Trust: 0.8
vendor:	シーメンス	model:	simatic energy manager basic	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	simatic energy manager basic update	scope:	lt	version:	7.31	Trust: 0.6
vendor:	siemens	model:	simatic energy manager pro update	scope:	lt	version:	7.31	Trust: 0.6

sources: CNVD: CNVD-2022-28493 // JVNDB: JVNDB-2022-001570 // NVD: CVE-2022-23449

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-23449
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-23449
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-28493
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202204-2944
value:	HIGH
Trust: 0.6
VULMON:	CVE-2022-23449
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-23449
severity:	MEDIUM
baseScore:	6.9
vectorString:	AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.4
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2022-28493
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-23449
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.3
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2022-23449
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-28493 // VULMON: CVE-2022-23449 // JVNDB: JVNDB-2022-001570 // CNNVD: CNNVD-202204-2944 // NVD: CVE-2022-23449

PROBLEMTYPE DATA

problemtype:	CWE-427	Trust: 1.0
problemtype:	Uncontrolled search path elements (CWE-427) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-001570 // NVD: CVE-2022-23449

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202204-2944

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202204-2944

PATCH

title:	SSA-655554	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf	Trust: 0.8
title:	Patch for Unknown Vulnerability in Siemens SIMATIC Energy Manager	url:	https://www.cnvd.org.cn/patchInfo/show/329216	Trust: 0.6
title:	Siemens SIMATIC Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=190116	Trust: 0.6

sources: CNVD: CNVD-2022-28493 // JVNDB: JVNDB-2022-001570 // CNNVD: CNNVD-202204-2944

EXTERNAL IDS

db:	NVD	id:	CVE-2022-23449	Trust: 3.9
db:	SIEMENS	id:	SSA-655554	Trust: 2.3
db:	ICS CERT	id:	ICSA-22-104-11	Trust: 1.5
db:	JVN	id:	JVNVU91165555	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-001570	Trust: 0.8
db:	CNVD	id:	CNVD-2022-28493	Trust: 0.6
db:	CS-HELP	id:	SB2022041913	Trust: 0.6
db:	CNNVD	id:	CNNVD-202204-2944	Trust: 0.6
db:	VULMON	id:	CVE-2022-23449	Trust: 0.1

sources: CNVD: CNVD-2022-28493 // VULMON: CVE-2022-23449 // JVNDB: JVNDB-2022-001570 // CNNVD: CNNVD-202204-2944 // NVD: CVE-2022-23449

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf	Trust: 2.3
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-104-11	Trust: 0.9
url:	https://jvn.jp/vu/jvnvu91165555/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-23449	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2022041913	Trust: 0.6
url:	https://vigilance.fr/vulnerability/simatic-energy-manager-three-vulnerabilities-38020	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-104-11	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-23449/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/427.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2022-28493 // VULMON: CVE-2022-23449 // JVNDB: JVNDB-2022-001570 // CNNVD: CNNVD-202204-2944 // NVD: CVE-2022-23449

CREDITS

Noam Moshe of Claroty reported these vulnerabilities to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202204-2944

SOURCES

db:	CNVD	id:	CNVD-2022-28493
db:	VULMON	id:	CVE-2022-23449
db:	JVNDB	id:	JVNDB-2022-001570
db:	CNNVD	id:	CNNVD-202204-2944
db:	NVD	id:	CVE-2022-23449

LAST UPDATE DATE

2024-08-14T13:42:55.123000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-28493	date:	2022-04-13T00:00:00
db:	VULMON	id:	CVE-2022-23449	date:	2022-04-19T00:00:00
db:	JVNDB	id:	JVNDB-2022-001570	date:	2022-04-22T06:27:00
db:	CNNVD	id:	CNNVD-202204-2944	date:	2022-04-20T00:00:00
db:	NVD	id:	CVE-2022-23449	date:	2022-04-19T16:09:44.513

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-28493	date:	2022-04-13T00:00:00
db:	VULMON	id:	CVE-2022-23449	date:	2022-04-12T00:00:00
db:	JVNDB	id:	JVNDB-2022-001570	date:	2022-04-22T00:00:00
db:	CNNVD	id:	CNNVD-202204-2944	date:	2022-04-12T00:00:00
db:	NVD	id:	CVE-2022-23449	date:	2022-04-12T09:15:14.297