Details of VAR-202207-1526

ID

VAR-202207-1526

CVE

CVE-2022-33318

TITLE

ICONICS, Inc. of GENESIS 64 Untrusted Data Deserialization Vulnerability in Other Vendors' Products

Trust: 0.8

sources: JVNDB: JVNDB-2022-013546

DESCRIPTION

Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows a remote unauthenticated attacker to execute an arbitrary malicious code by sending specially crafted packets to the GENESIS64 server. ICONICS, Inc. of GENESIS 64 Products from multiple other vendors contain untrusted data deserialization vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. Authentication is not required to exploit this vulnerability.The specific flaw exists within the GenBroker64 service. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the Administrator

Trust: 2.34

sources: NVD: CVE-2022-33318 // JVNDB: JVNDB-2022-013546 // ZDI: ZDI-22-1041 // VULMON: CVE-2022-33318

AFFECTED PRODUCTS

vendor:	iconics	model:	genesis64	scope:	eq	version:	10.97.1	Trust: 1.0
vendor:	mitsubishielectric	model:	mc works64	scope:	lte	version:	10.95.210.01	Trust: 1.0
vendor:	iconics	model:	genesis64	scope:	eq	version:	10.97	Trust: 1.0
vendor:	三菱電機	model:	mc works64	scope:	-	version:	-	Trust: 0.8
vendor:	iconics	model:	genesis 64	scope:	-	version:	-	Trust: 0.8
vendor:	iconics	model:	genesis64	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-22-1041 // JVNDB: JVNDB-2022-013546 // NVD: CVE-2022-33318

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2022-33318
value:	CRITICAL
Trust: 1.8
ZDI:	CVE-2022-33318
value:	CRITICAL
Trust: 0.7
CNNVD:	CNNVD-202207-2071
value:	CRITICAL
Trust: 0.6

NVD:	CVE-2022-33318
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2022-33318
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2022-33318
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-22-1041 // JVNDB: JVNDB-2022-013546 // NVD: CVE-2022-33318 // CNNVD: CNNVD-202207-2071

PROBLEMTYPE DATA

problemtype:	CWE-502	Trust: 1.0
problemtype:	Deserialization of untrusted data (CWE-502) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-013546 // NVD: CVE-2022-33318

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202207-2071

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202207-2071

CONFIGURATIONS

sources: NVD: CVE-2022-33318

PATCH

title:	ICONICS has issued an update to correct this vulnerability.	url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-04	Trust: 0.7
title:	Mitsubishi Electric MC Works64 Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=201119	Trust: 0.6

sources: ZDI: ZDI-22-1041 // CNNVD: CNNVD-202207-2071

EXTERNAL IDS

db:	NVD	id:	CVE-2022-33318	Trust: 4.0
db:	JVN	id:	JVNVU96480474	Trust: 2.5
db:	ICS CERT	id:	ICSA-22-202-04	Trust: 1.5
db:	JVNDB	id:	JVNDB-2022-013546	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-17200	Trust: 0.7
db:	ZDI	id:	ZDI-22-1041	Trust: 0.7
db:	CS-HELP	id:	SB2022072542	Trust: 0.6
db:	CNNVD	id:	CNNVD-202207-2071	Trust: 0.6
db:	VULMON	id:	CVE-2022-33318	Trust: 0.1

sources: ZDI: ZDI-22-1041 // VULMON: CVE-2022-33318 // JVNDB: JVNDB-2022-013546 // NVD: CVE-2022-33318 // CNNVD: CNNVD-202207-2071

REFERENCES

url:	https://jvn.jp/vu/jvnvu96480474/index.html	Trust: 2.5
url:	https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf	Trust: 2.5
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-04	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu96480474/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-33318	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2022072542	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-33318/	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-202-04	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: ZDI: ZDI-22-1041 // VULMON: CVE-2022-33318 // JVNDB: JVNDB-2022-013546 // NVD: CVE-2022-33318 // CNNVD: CNNVD-202207-2071

CREDITS

Axel '0vercl0k' Souchet

Trust: 0.7

sources: ZDI: ZDI-22-1041

SOURCES

db:	ZDI	id:	ZDI-22-1041
db:	VULMON	id:	CVE-2022-33318
db:	JVNDB	id:	JVNDB-2022-013546
db:	NVD	id:	CVE-2022-33318
db:	CNNVD	id:	CNNVD-202207-2071

LAST UPDATE DATE

2023-09-10T22:31:27.948000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-22-1041	date:	2022-08-03T00:00:00
db:	VULMON	id:	CVE-2022-33318	date:	2022-07-20T00:00:00
db:	JVNDB	id:	JVNDB-2022-013546	date:	2023-09-08T08:28:00
db:	NVD	id:	CVE-2022-33318	date:	2022-07-27T18:59:00
db:	CNNVD	id:	CNNVD-202207-2071	date:	2022-07-28T00:00:00

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-22-1041	date:	2022-08-03T00:00:00
db:	VULMON	id:	CVE-2022-33318	date:	2022-07-20T00:00:00
db:	JVNDB	id:	JVNDB-2022-013546	date:	2023-09-08T00:00:00
db:	NVD	id:	CVE-2022-33318	date:	2022-07-20T17:15:00
db:	CNNVD	id:	CNNVD-202207-2071	date:	2022-07-20T00:00:00