Sign-up

ID

VAR-202207-1527


CVE

CVE-2022-33315


TITLE

ICONICS, Inc.  of  GENESIS 64  Untrusted Data Deserialization Vulnerability in Other Vendors' Products

Trust: 0.8

sources: JVNDB: JVNDB-2022-013549

DESCRIPTION

Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious XAML codes. ICONICS, Inc. of GENESIS 64 Products from multiple other vendors contain untrusted data deserialization vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of TDFX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process

Trust: 2.34

sources: NVD: CVE-2022-33315 // JVNDB: JVNDB-2022-013549 // ZDI: ZDI-22-1043 // VULMON: CVE-2022-33315

AFFECTED PRODUCTS

vendor:iconicsmodel:genesis64scope:eqversion:10.97.1

Trust: 1.0

vendor:mitsubishielectricmodel:mc works64scope:lteversion:10.95.210.01

Trust: 1.0

vendor:iconicsmodel:genesis64scope:eqversion:10.97

Trust: 1.0

vendor:三菱電機model:mc works64scope: - version: -

Trust: 0.8

vendor:iconicsmodel:genesis 64scope: - version: -

Trust: 0.8

vendor:iconicsmodel:genesis64scope: - version: -

Trust: 0.7

sources: ZDI: ZDI-22-1043 // JVNDB: JVNDB-2022-013549 // NVD: CVE-2022-33315

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-33315
value: HIGH

Trust: 1.8

ZDI: CVE-2022-33315
value: HIGH

Trust: 0.7

CNNVD: CNNVD-202207-2079
value: HIGH

Trust: 0.6

NVD: CVE-2022-33315
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-33315
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2022-33315
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-22-1043 // JVNDB: JVNDB-2022-013549 // NVD: CVE-2022-33315 // CNNVD: CNNVD-202207-2079

PROBLEMTYPE DATA

problemtype:CWE-502

Trust: 1.0

problemtype:Deserialization of untrusted data (CWE-502) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-013549 // NVD: CVE-2022-33315

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202207-2079

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202207-2079

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2022-33315

PATCH
title:ICONICS has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-04
Trust: 0.7
title:Mitsubishi Electric MC Works64  and ICONICS GENESIS64 Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=201700
Trust: 0.6
sources:
            
            
            ZDI: ZDI-22-1043 // 
            
            
            
            CNNVD: CNNVD-202207-2079

EXTERNAL IDS
db:NVDid:CVE-2022-33315
Trust: 4.0
db:JVNid:JVNVU96480474
Trust: 2.5
db:ICS CERTid:ICSA-22-202-04
Trust: 1.5
db:JVNDBid:JVNDB-2022-013549
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-16253
Trust: 0.7
db:ZDIid:ZDI-22-1043
Trust: 0.7
db:CS-HELPid:SB2022072542
Trust: 0.6
db:CNNVDid:CNNVD-202207-2079
Trust: 0.6
db:VULMONid:CVE-2022-33315
Trust: 0.1
sources:
            
            
            ZDI: ZDI-22-1043 // 
            
            
            
            VULMON: CVE-2022-33315 // 
            
            
            
            JVNDB: JVNDB-2022-013549 // 
            
            
            
            NVD: CVE-2022-33315 // 
            
            
            
            CNNVD: CNNVD-202207-2079

REFERENCES
url:https://jvn.jp/vu/jvnvu96480474/index.html
Trust: 2.5
url:https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf
Trust: 2.5
url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-04
Trust: 0.8
url:https://jvn.jp/vu/jvnvu96480474/
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2022-33315
Trust: 0.8
url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04
Trust: 0.8
url:https://www.cybersecurity-help.cz/vdb/sb2022072542
Trust: 0.6
url:https://cxsecurity.com/cveshow/cve-2022-33315/
Trust: 0.6
url:https://us-cert.cisa.gov/ics/advisories/icsa-22-202-04
Trust: 0.6
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            ZDI: ZDI-22-1043 // 
            
            
            
            VULMON: CVE-2022-33315 // 
            
            
            
            JVNDB: JVNDB-2022-013549 // 
            
            
            
            NVD: CVE-2022-33315 // 
            
            
            
            CNNVD: CNNVD-202207-2079

CREDITS
Alex Birnberg of Zymo Security
Trust: 0.7
sources:
            
            
            ZDI: ZDI-22-1043

SOURCES
db:ZDIid:ZDI-22-1043
db:VULMONid:CVE-2022-33315
db:JVNDBid:JVNDB-2022-013549
db:NVDid:CVE-2022-33315
db:CNNVDid:CNNVD-202207-2079

LAST UPDATE DATE
2023-09-10T22:31:27.977000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-22-1043date:2022-08-03T00:00:00
db:VULMONid:CVE-2022-33315date:2022-07-20T00:00:00
db:JVNDBid:JVNDB-2022-013549date:2023-09-08T08:28:00
db:NVDid:CVE-2022-33315date:2022-07-27T19:03:00
db:CNNVDid:CNNVD-202207-2079date:2022-08-02T00:00:00

SOURCES RELEASE DATE
db:ZDIid:ZDI-22-1043date:2022-08-03T00:00:00
db:VULMONid:CVE-2022-33315date:2022-07-20T00:00:00
db:JVNDBid:JVNDB-2022-013549date:2023-09-08T00:00:00
db:NVDid:CVE-2022-33315date:2022-07-20T17:15:00
db:CNNVDid:CNNVD-202207-2079date:2022-07-20T00:00:00