Sign-up

ID

VAR-202207-1529


CVE

CVE-2022-33317


TITLE

ICONICS, Inc.  of  GENESIS 64  Vulnerabilities related to embedding functionality from untrusted control areas in products from multiple other vendors

Trust: 0.8

sources: JVNDB: JVNDB-2022-013547

DESCRIPTION

Inclusion of Functionality from Untrusted Control Sphere vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious script codes. ICONICS, Inc. of GENESIS 64 Products from several other vendors contain vulnerabilities related to the incorporation of functionality from untrusted control areas.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of TDFX files. The issue results from the exposure of a dangerous method. An attacker can leverage this vulnerability to execute code in the context of the current process

Trust: 2.97

sources: NVD: CVE-2022-33317 // JVNDB: JVNDB-2022-013547 // ZDI: ZDI-22-1162 // ZDI: ZDI-22-1039 // VULMON: CVE-2022-33317

AFFECTED PRODUCTS

vendor:iconicsmodel:genesis64scope: - version: -

Trust: 1.4

vendor:iconicsmodel:genesis64scope:eqversion:10.97.1

Trust: 1.0

vendor:mitsubishielectricmodel:mc works64scope:lteversion:10.95.210.01

Trust: 1.0

vendor:iconicsmodel:genesis64scope:eqversion:10.97

Trust: 1.0

vendor:三菱電機model:mc works64scope: - version: -

Trust: 0.8

vendor:iconicsmodel:genesis 64scope: - version: -

Trust: 0.8

sources: ZDI: ZDI-22-1162 // ZDI: ZDI-22-1039 // JVNDB: JVNDB-2022-013547 // NVD: CVE-2022-33317

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-33317
value: HIGH

Trust: 1.8

ZDI: CVE-2022-33317
value: CRITICAL

Trust: 0.7

ZDI: CVE-2022-33317
value: HIGH

Trust: 0.7

CNNVD: CNNVD-202207-2074
value: HIGH

Trust: 0.6

NVD: CVE-2022-33317
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-33317
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2022-33317
baseSeverity: CRITICAL
baseScore: 7.0
vectorString: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.0
impactScore: 5.9
version: 3.0

Trust: 0.7

ZDI: CVE-2022-33317
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-22-1162 // ZDI: ZDI-22-1039 // JVNDB: JVNDB-2022-013547 // NVD: CVE-2022-33317 // CNNVD: CNNVD-202207-2074

PROBLEMTYPE DATA

problemtype:CWE-829

Trust: 1.0

problemtype:Incorporating features from untrusted control areas (CWE-829) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-013547 // NVD: CVE-2022-33317

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202207-2074

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202207-2074

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2022-33317

PATCH
title:ICONICS has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-04
Trust: 1.4
title:Mitsubishi Electric MC Works64  and ICONICS GENESIS64 Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=201699
Trust: 0.6
sources:
            
            
            ZDI: ZDI-22-1162 // 
            
            
            
            ZDI: ZDI-22-1039 // 
            
            
            
            CNNVD: CNNVD-202207-2074

EXTERNAL IDS
db:NVDid:CVE-2022-33317
Trust: 4.7
db:JVNid:JVNVU96480474
Trust: 2.5
db:ICS CERTid:ICSA-22-202-04
Trust: 1.5
db:JVNDBid:JVNDB-2022-013547
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-17360
Trust: 0.7
db:ZDIid:ZDI-22-1162
Trust: 0.7
db:ZDI_CANid:ZDI-CAN-17198
Trust: 0.7
db:ZDIid:ZDI-22-1039
Trust: 0.7
db:CS-HELPid:SB2022072542
Trust: 0.6
db:CNNVDid:CNNVD-202207-2074
Trust: 0.6
db:VULMONid:CVE-2022-33317
Trust: 0.1
sources:
            
            
            ZDI: ZDI-22-1162 // 
            
            
            
            ZDI: ZDI-22-1039 // 
            
            
            
            VULMON: CVE-2022-33317 // 
            
            
            
            JVNDB: JVNDB-2022-013547 // 
            
            
            
            NVD: CVE-2022-33317 // 
            
            
            
            CNNVD: CNNVD-202207-2074

REFERENCES
url:https://jvn.jp/vu/jvnvu96480474/index.html
Trust: 2.5
url:https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf
Trust: 2.5
url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-04
Trust: 1.5
url:https://jvn.jp/vu/jvnvu96480474/
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2022-33317
Trust: 0.8
url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04
Trust: 0.8
url:https://www.cybersecurity-help.cz/vdb/sb2022072542
Trust: 0.6
url:https://cxsecurity.com/cveshow/cve-2022-33317/
Trust: 0.6
url:https://us-cert.cisa.gov/ics/advisories/icsa-22-202-04
Trust: 0.6
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            ZDI: ZDI-22-1162 // 
            
            
            
            ZDI: ZDI-22-1039 // 
            
            
            
            VULMON: CVE-2022-33317 // 
            
            
            
            JVNDB: JVNDB-2022-013547 // 
            
            
            
            NVD: CVE-2022-33317 // 
            
            
            
            CNNVD: CNNVD-202207-2074

CREDITS
Noam Moshe of Claroty Research
Trust: 0.7
sources:
            
            
            ZDI: ZDI-22-1162

SOURCES
db:ZDIid:ZDI-22-1162
db:ZDIid:ZDI-22-1039
db:VULMONid:CVE-2022-33317
db:JVNDBid:JVNDB-2022-013547
db:NVDid:CVE-2022-33317
db:CNNVDid:CNNVD-202207-2074

LAST UPDATE DATE
2023-09-10T22:31:27.883000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-22-1162date:2022-08-23T00:00:00
db:ZDIid:ZDI-22-1039date:2022-08-03T00:00:00
db:VULMONid:CVE-2022-33317date:2022-07-20T00:00:00
db:JVNDBid:JVNDB-2022-013547date:2023-09-08T08:28:00
db:NVDid:CVE-2022-33317date:2022-07-27T19:02:00
db:CNNVDid:CNNVD-202207-2074date:2022-08-10T00:00:00

SOURCES RELEASE DATE
db:ZDIid:ZDI-22-1162date:2022-08-23T00:00:00
db:ZDIid:ZDI-22-1039date:2022-08-03T00:00:00
db:VULMONid:CVE-2022-33317date:2022-07-20T00:00:00
db:JVNDBid:JVNDB-2022-013547date:2023-09-08T00:00:00
db:NVDid:CVE-2022-33317date:2022-07-20T17:15:00
db:CNNVDid:CNNVD-202207-2074date:2022-07-20T00:00:00