Sign-up

ID

VAR-202207-1524


CVE

CVE-2022-33316


TITLE

ICONICS, Inc.  of  GENESIS 64  Untrusted Data Deserialization Vulnerability in Other Vendors' Products

Trust: 0.8

sources: JVNDB: JVNDB-2022-013548

DESCRIPTION

Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious XAML codes. ICONICS, Inc. of GENESIS 64 Products from multiple other vendors contain untrusted data deserialization vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of GDFX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process

Trust: 2.34

sources: NVD: CVE-2022-33316 // JVNDB: JVNDB-2022-013548 // ZDI: ZDI-22-1040 // VULMON: CVE-2022-33316

AFFECTED PRODUCTS

vendor:iconicsmodel:genesis64scope:eqversion:10.97.1

Trust: 1.0

vendor:mitsubishielectricmodel:mc works64scope:lteversion:10.95.210.01

Trust: 1.0

vendor:iconicsmodel:genesis64scope:eqversion:10.97

Trust: 1.0

vendor:三菱電機model:mc works64scope: - version: -

Trust: 0.8

vendor:iconicsmodel:genesis 64scope: - version: -

Trust: 0.8

vendor:iconicsmodel:genesis64scope: - version: -

Trust: 0.7

sources: ZDI: ZDI-22-1040 // JVNDB: JVNDB-2022-013548 // NVD: CVE-2022-33316

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-33316
value: HIGH

Trust: 1.8

ZDI: CVE-2022-33316
value: HIGH

Trust: 0.7

CNNVD: CNNVD-202207-2077
value: HIGH

Trust: 0.6

NVD: CVE-2022-33316
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-33316
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2022-33316
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-22-1040 // JVNDB: JVNDB-2022-013548 // NVD: CVE-2022-33316 // CNNVD: CNNVD-202207-2077

PROBLEMTYPE DATA

problemtype:CWE-502

Trust: 1.0

problemtype:Deserialization of untrusted data (CWE-502) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-013548 // NVD: CVE-2022-33316

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202207-2077

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202207-2077

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2022-33316

PATCH
title:ICONICS has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-04
Trust: 0.7
title:Mitsubishi Electric MC Works64  and  ICONICS GENESIS64 Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=201403
Trust: 0.6
sources:
            
            
            ZDI: ZDI-22-1040 // 
            
            
            
            CNNVD: CNNVD-202207-2077

EXTERNAL IDS
db:NVDid:CVE-2022-33316
Trust: 4.0
db:JVNid:JVNVU96480474
Trust: 2.5
db:ICS CERTid:ICSA-22-202-04
Trust: 0.9
db:JVNDBid:JVNDB-2022-013548
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-17215
Trust: 0.7
db:ZDIid:ZDI-22-1040
Trust: 0.7
db:CS-HELPid:SB2022072542
Trust: 0.6
db:CNNVDid:CNNVD-202207-2077
Trust: 0.6
db:VULMONid:CVE-2022-33316
Trust: 0.1
sources:
            
            
            ZDI: ZDI-22-1040 // 
            
            
            
            VULMON: CVE-2022-33316 // 
            
            
            
            JVNDB: JVNDB-2022-013548 // 
            
            
            
            NVD: CVE-2022-33316 // 
            
            
            
            CNNVD: CNNVD-202207-2077

REFERENCES
url:https://jvn.jp/vu/jvnvu96480474/index.html
Trust: 2.5
url:https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf
Trust: 2.5
url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-04
Trust: 0.8
url:https://jvn.jp/vu/jvnvu96480474/
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2022-33316
Trust: 0.8
url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04
Trust: 0.8
url:https://www.cybersecurity-help.cz/vdb/sb2022072542
Trust: 0.6
url:https://cxsecurity.com/cveshow/cve-2022-33316/
Trust: 0.6
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            ZDI: ZDI-22-1040 // 
            
            
            
            VULMON: CVE-2022-33316 // 
            
            
            
            JVNDB: JVNDB-2022-013548 // 
            
            
            
            NVD: CVE-2022-33316 // 
            
            
            
            CNNVD: CNNVD-202207-2077

CREDITS
Steven Seeley (mr_me) and Chris Anastasio (muffin) of Incite Team
Trust: 0.7
sources:
            
            
            ZDI: ZDI-22-1040

SOURCES
db:ZDIid:ZDI-22-1040
db:VULMONid:CVE-2022-33316
db:JVNDBid:JVNDB-2022-013548
db:NVDid:CVE-2022-33316
db:CNNVDid:CNNVD-202207-2077

LAST UPDATE DATE
2023-09-10T22:31:28.036000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-22-1040date:2022-08-03T00:00:00
db:VULMONid:CVE-2022-33316date:2022-07-20T00:00:00
db:JVNDBid:JVNDB-2022-013548date:2023-09-08T08:28:00
db:NVDid:CVE-2022-33316date:2022-07-27T19:03:00
db:CNNVDid:CNNVD-202207-2077date:2022-08-10T00:00:00

SOURCES RELEASE DATE
db:ZDIid:ZDI-22-1040date:2022-08-03T00:00:00
db:VULMONid:CVE-2022-33316date:2022-07-20T00:00:00
db:JVNDBid:JVNDB-2022-013548date:2023-09-08T00:00:00
db:NVDid:CVE-2022-33316date:2022-07-20T17:15:00
db:CNNVDid:CNNVD-202207-2077date:2022-07-20T00:00:00