Sign-up

ID

VAR-202207-1523


CVE

CVE-2022-33320


TITLE

ICONICS GENESIS64 PKGX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability

Trust: 1.4

sources: ZDI: ZDI-22-1163 // ZDI: ZDI-23-343

DESCRIPTION

Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes. ICONICS, Inc. of GENESIS 64 Products from multiple other vendors contain untrusted data deserialization vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PKGX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process

Trust: 2.97

sources: NVD: CVE-2022-33320 // JVNDB: JVNDB-2022-013544 // ZDI: ZDI-22-1163 // ZDI: ZDI-23-343 // VULMON: CVE-2022-33320

AFFECTED PRODUCTS

vendor:iconicsmodel:genesis64scope: - version: -

Trust: 1.4

vendor:iconicsmodel:genesis64scope:eqversion:10.97.1

Trust: 1.0

vendor:mitsubishielectricmodel:mc works64scope:lteversion:10.95.210.01

Trust: 1.0

vendor:iconicsmodel:genesis64scope:eqversion:10.97

Trust: 1.0

vendor:三菱電機model:mc works64scope: - version: -

Trust: 0.8

vendor:iconicsmodel:genesis 64scope: - version: -

Trust: 0.8

sources: ZDI: ZDI-22-1163 // ZDI: ZDI-23-343 // JVNDB: JVNDB-2022-013544 // NVD: CVE-2022-33320

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-33320
value: HIGH

Trust: 1.8

ZDI: CVE-2022-33320
value: HIGH

Trust: 1.4

CNNVD: CNNVD-202207-2068
value: HIGH

Trust: 0.6

ZDI: CVE-2022-33320
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.4

NVD: CVE-2022-33320
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-33320
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZDI: ZDI-22-1163 // ZDI: ZDI-23-343 // JVNDB: JVNDB-2022-013544 // NVD: CVE-2022-33320 // CNNVD: CNNVD-202207-2068

PROBLEMTYPE DATA

problemtype:CWE-502

Trust: 1.0

problemtype:Deserialization of untrusted data (CWE-502) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-013544 // NVD: CVE-2022-33320

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202207-2068

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202207-2068

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2022-33320

PATCH
title:ICONICS has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-04
Trust: 0.7
title:ICONICS has issued an update to correct this vulnerability.url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04
Trust: 0.7
title:Mitsubishi Electric MC Works64 Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=201698
Trust: 0.6
sources:
            
            
            ZDI: ZDI-22-1163 // 
            
            
            
            ZDI: ZDI-23-343 // 
            
            
            
            CNNVD: CNNVD-202207-2068

EXTERNAL IDS
db:NVDid:CVE-2022-33320
Trust: 4.7
db:JVNid:JVNVU96480474
Trust: 2.5
db:ICS CERTid:ICSA-22-202-04
Trust: 1.5
db:JVNDBid:JVNDB-2022-013544
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-17361
Trust: 0.7
db:ZDIid:ZDI-22-1163
Trust: 0.7
db:ZDI_CANid:ZDI-CAN-17369
Trust: 0.7
db:ZDIid:ZDI-23-343
Trust: 0.7
db:CS-HELPid:SB2022072542
Trust: 0.6
db:CNNVDid:CNNVD-202207-2068
Trust: 0.6
db:VULMONid:CVE-2022-33320
Trust: 0.1
sources:
            
            
            ZDI: ZDI-22-1163 // 
            
            
            
            ZDI: ZDI-23-343 // 
            
            
            
            VULMON: CVE-2022-33320 // 
            
            
            
            JVNDB: JVNDB-2022-013544 // 
            
            
            
            NVD: CVE-2022-33320 // 
            
            
            
            CNNVD: CNNVD-202207-2068

REFERENCES
url:https://jvn.jp/vu/jvnvu96480474/index.html
Trust: 2.5
url:https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf
Trust: 2.5
url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04
Trust: 1.5
url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-04
Trust: 0.8
url:https://jvn.jp/vu/jvnvu96480474/
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2022-33320
Trust: 0.8
url:https://cxsecurity.com/cveshow/cve-2022-33320/
Trust: 0.6
url:https://www.cybersecurity-help.cz/vdb/sb2022072542
Trust: 0.6
url:https://us-cert.cisa.gov/ics/advisories/icsa-22-202-04
Trust: 0.6
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            ZDI: ZDI-22-1163 // 
            
            
            
            ZDI: ZDI-23-343 // 
            
            
            
            VULMON: CVE-2022-33320 // 
            
            
            
            JVNDB: JVNDB-2022-013544 // 
            
            
            
            NVD: CVE-2022-33320 // 
            
            
            
            CNNVD: CNNVD-202207-2068

CREDITS
Noam Moshe of Claroty Research
Trust: 1.4
sources:
            
            
            ZDI: ZDI-22-1163 // 
            
            
            
            ZDI: ZDI-23-343

SOURCES
db:ZDIid:ZDI-22-1163
db:ZDIid:ZDI-23-343
db:VULMONid:CVE-2022-33320
db:JVNDBid:JVNDB-2022-013544
db:NVDid:CVE-2022-33320
db:CNNVDid:CNNVD-202207-2068

LAST UPDATE DATE
2023-09-10T22:31:28.066000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-22-1163date:2022-08-23T00:00:00
db:ZDIid:ZDI-23-343date:2023-03-31T00:00:00
db:VULMONid:CVE-2022-33320date:2022-07-20T00:00:00
db:JVNDBid:JVNDB-2022-013544date:2023-09-08T08:28:00
db:NVDid:CVE-2022-33320date:2022-07-27T18:55:00
db:CNNVDid:CNNVD-202207-2068date:2022-07-28T00:00:00

SOURCES RELEASE DATE
db:ZDIid:ZDI-22-1163date:2022-08-23T00:00:00
db:ZDIid:ZDI-23-343date:2023-03-31T00:00:00
db:VULMONid:CVE-2022-33320date:2022-07-20T00:00:00
db:JVNDBid:JVNDB-2022-013544date:2023-09-08T00:00:00
db:NVDid:CVE-2022-33320date:2022-07-20T17:15:00
db:CNNVDid:CNNVD-202207-2068date:2022-07-20T00:00:00