ID

VAR-202204-0323


CVE

CVE-2022-23448


TITLE

SIMATIC Energy Manager Basic  and  SIMATIC Energy Manager PRO  Improper Permission Assignment Vulnerability in Critical Resources

Trust: 0.8

sources: JVNDB: JVNDB-2022-001569

DESCRIPTION

A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). Affected applications improperly assign permissions to critical directories and files used by the application processes. This could allow a local unprivileged attacker to achieve code execution with ADMINISTRATOR or even NT AUTHORITY/SYSTEM privileges. SIMATIC Energy Manager visualizes the energy flow and consumption values in the process in detail, assigns them to the relevant consumers or cost centers, and determines the reasons for changes

Trust: 2.25

sources: NVD: CVE-2022-23448 // JVNDB: JVNDB-2022-001569 // CNVD: CNVD-2022-28494 // VULMON: CVE-2022-23448

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-28494

AFFECTED PRODUCTS

vendor:siemensmodel:simatic energy manager basicscope:ltversion:7.3

Trust: 1.0

vendor:siemensmodel:simatic energy manager proscope:ltversion:7.3

Trust: 1.0

vendor:siemensmodel:simatic energy manager basicscope:eqversion:7.3

Trust: 1.0

vendor:siemensmodel:simatic energy manager proscope:eqversion:7.3

Trust: 1.0

vendor:シーメンスmodel:simatic energy manager proscope:eqversion:7.3 update 1

Trust: 0.8

vendor:シーメンスmodel:simatic energy manager basicscope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic energy manager basic updatescope:ltversion:7.31

Trust: 0.6

vendor:siemensmodel:simatic energy manager pro updatescope:ltversion:7.31

Trust: 0.6

sources: CNVD: CNVD-2022-28494 // JVNDB: JVNDB-2022-001569 // NVD: CVE-2022-23448

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-23448
value: HIGH

Trust: 1.0

NVD: CVE-2022-23448
value: HIGH

Trust: 0.8

CNVD: CNVD-2022-28494
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202204-2945
value: HIGH

Trust: 0.6

VULMON: CVE-2022-23448
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2022-23448
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2022-28494
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2022-23448
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-23448
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-28494 // VULMON: CVE-2022-23448 // JVNDB: JVNDB-2022-001569 // CNNVD: CNNVD-202204-2945 // NVD: CVE-2022-23448

PROBLEMTYPE DATA

problemtype:CWE-732

Trust: 1.0

problemtype:Improper permission assignment for critical resources (CWE-732) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-001569 // NVD: CVE-2022-23448

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202204-2945

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202204-2945

PATCH

title:SSA-655554url:https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf

Trust: 0.8

title:Patch for Siemens SIMATIC Energy Manager Access Control Error Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/329211

Trust: 0.6

title:Siemens SIMATIC Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=190117

Trust: 0.6

sources: CNVD: CNVD-2022-28494 // JVNDB: JVNDB-2022-001569 // CNNVD: CNNVD-202204-2945

EXTERNAL IDS

db:NVDid:CVE-2022-23448

Trust: 3.9

db:SIEMENSid:SSA-655554

Trust: 2.3

db:ICS CERTid:ICSA-22-104-11

Trust: 1.5

db:JVNid:JVNVU91165555

Trust: 0.8

db:JVNDBid:JVNDB-2022-001569

Trust: 0.8

db:CNVDid:CNVD-2022-28494

Trust: 0.6

db:CS-HELPid:SB2022041913

Trust: 0.6

db:CNNVDid:CNNVD-202204-2945

Trust: 0.6

db:VULMONid:CVE-2022-23448

Trust: 0.1

sources: CNVD: CNVD-2022-28494 // VULMON: CVE-2022-23448 // JVNDB: JVNDB-2022-001569 // CNNVD: CNNVD-202204-2945 // NVD: CVE-2022-23448

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-655554.pdf

Trust: 2.3

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-104-11

Trust: 0.9

url:https://jvn.jp/vu/jvnvu91165555/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-23448

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022041913

Trust: 0.6

url:https://vigilance.fr/vulnerability/simatic-energy-manager-three-vulnerabilities-38020

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-104-11

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-23448/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/732.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2022-28494 // VULMON: CVE-2022-23448 // JVNDB: JVNDB-2022-001569 // CNNVD: CNNVD-202204-2945 // NVD: CVE-2022-23448

CREDITS

Noam Moshe of Claroty reported these vulnerabilities to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202204-2945

SOURCES

db:CNVDid:CNVD-2022-28494
db:VULMONid:CVE-2022-23448
db:JVNDBid:JVNDB-2022-001569
db:CNNVDid:CNNVD-202204-2945
db:NVDid:CVE-2022-23448

LAST UPDATE DATE

2024-08-14T13:42:54.872000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-28494date:2022-04-13T00:00:00
db:VULMONid:CVE-2022-23448date:2022-04-19T00:00:00
db:JVNDBid:JVNDB-2022-001569date:2022-04-22T06:27:00
db:CNNVDid:CNNVD-202204-2945date:2022-04-20T00:00:00
db:NVDid:CVE-2022-23448date:2022-04-19T16:01:49.653

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-28494date:2022-04-13T00:00:00
db:VULMONid:CVE-2022-23448date:2022-04-12T00:00:00
db:JVNDBid:JVNDB-2022-001569date:2022-04-22T00:00:00
db:CNNVDid:CNNVD-202204-2945date:2022-04-12T00:00:00
db:NVDid:CVE-2022-23448date:2022-04-12T09:15:14.233