ID

VAR-202207-1523


CVE

CVE-2022-33320


TITLE

ICONICS GENESIS64 PKGX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability

Trust: 1.4

sources: ZDI: ZDI-22-1163 // ZDI: ZDI-23-343

DESCRIPTION

Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes. ICONICS, Inc. of GENESIS 64 Products from multiple other vendors contain untrusted data deserialization vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PKGX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process

Trust: 2.97

sources: NVD: CVE-2022-33320 // JVNDB: JVNDB-2022-013544 // ZDI: ZDI-22-1163 // ZDI: ZDI-23-343 // VULMON: CVE-2022-33320

AFFECTED PRODUCTS

vendor:iconicsmodel:genesis64scope: - version: -

Trust: 1.4

vendor:iconicsmodel:genesis64scope:eqversion:10.97.1

Trust: 1.0

vendor:mitsubishielectricmodel:mc works64scope:lteversion:10.95.210.01

Trust: 1.0

vendor:iconicsmodel:genesis64scope:eqversion:10.97

Trust: 1.0

vendor:三菱電機model:mc works64scope: - version: -

Trust: 0.8

vendor:iconicsmodel:genesis 64scope: - version: -

Trust: 0.8

sources: ZDI: ZDI-22-1163 // ZDI: ZDI-23-343 // JVNDB: JVNDB-2022-013544 // NVD: CVE-2022-33320

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-33320
value: HIGH

Trust: 1.8

ZDI: CVE-2022-33320
value: HIGH

Trust: 1.4

CNNVD: CNNVD-202207-2068
value: HIGH

Trust: 0.6

ZDI: CVE-2022-33320
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.4

NVD: CVE-2022-33320
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-33320
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZDI: ZDI-22-1163 // ZDI: ZDI-23-343 // JVNDB: JVNDB-2022-013544 // NVD: CVE-2022-33320 // CNNVD: CNNVD-202207-2068

PROBLEMTYPE DATA

problemtype:CWE-502

Trust: 1.0

problemtype:Deserialization of untrusted data (CWE-502) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-013544 // NVD: CVE-2022-33320

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202207-2068

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202207-2068

CONFIGURATIONS

sources: NVD: CVE-2022-33320

PATCH

title:ICONICS has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-04

Trust: 0.7

title:ICONICS has issued an update to correct this vulnerability.url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04

Trust: 0.7

title:Mitsubishi Electric MC Works64 Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=201698

Trust: 0.6

sources: ZDI: ZDI-22-1163 // ZDI: ZDI-23-343 // CNNVD: CNNVD-202207-2068

EXTERNAL IDS

db:NVDid:CVE-2022-33320

Trust: 4.7

db:JVNid:JVNVU96480474

Trust: 2.5

db:ICS CERTid:ICSA-22-202-04

Trust: 1.5

db:JVNDBid:JVNDB-2022-013544

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-17361

Trust: 0.7

db:ZDIid:ZDI-22-1163

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-17369

Trust: 0.7

db:ZDIid:ZDI-23-343

Trust: 0.7

db:CS-HELPid:SB2022072542

Trust: 0.6

db:CNNVDid:CNNVD-202207-2068

Trust: 0.6

db:VULMONid:CVE-2022-33320

Trust: 0.1

sources: ZDI: ZDI-22-1163 // ZDI: ZDI-23-343 // VULMON: CVE-2022-33320 // JVNDB: JVNDB-2022-013544 // NVD: CVE-2022-33320 // CNNVD: CNNVD-202207-2068

REFERENCES

url:https://jvn.jp/vu/jvnvu96480474/index.html

Trust: 2.5

url:https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf

Trust: 2.5

url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04

Trust: 1.5

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-04

Trust: 0.8

url:https://jvn.jp/vu/jvnvu96480474/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-33320

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-33320/

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022072542

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-202-04

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: ZDI: ZDI-22-1163 // ZDI: ZDI-23-343 // VULMON: CVE-2022-33320 // JVNDB: JVNDB-2022-013544 // NVD: CVE-2022-33320 // CNNVD: CNNVD-202207-2068

CREDITS

Noam Moshe of Claroty Research

Trust: 1.4

sources: ZDI: ZDI-22-1163 // ZDI: ZDI-23-343

SOURCES

db:ZDIid:ZDI-22-1163
db:ZDIid:ZDI-23-343
db:VULMONid:CVE-2022-33320
db:JVNDBid:JVNDB-2022-013544
db:NVDid:CVE-2022-33320
db:CNNVDid:CNNVD-202207-2068

LAST UPDATE DATE

2023-09-10T22:31:28.066000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-1163date:2022-08-23T00:00:00
db:ZDIid:ZDI-23-343date:2023-03-31T00:00:00
db:VULMONid:CVE-2022-33320date:2022-07-20T00:00:00
db:JVNDBid:JVNDB-2022-013544date:2023-09-08T08:28:00
db:NVDid:CVE-2022-33320date:2022-07-27T18:55:00
db:CNNVDid:CNNVD-202207-2068date:2022-07-28T00:00:00

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-1163date:2022-08-23T00:00:00
db:ZDIid:ZDI-23-343date:2023-03-31T00:00:00
db:VULMONid:CVE-2022-33320date:2022-07-20T00:00:00
db:JVNDBid:JVNDB-2022-013544date:2023-09-08T00:00:00
db:NVDid:CVE-2022-33320date:2022-07-20T17:15:00
db:CNNVDid:CNNVD-202207-2068date:2022-07-20T00:00:00