Details of VAR-202210-0383

ID

VAR-202210-0383

CVE

CVE-2022-40182

TITLE

Unnecessary privileged execution vulnerability in multiple Siemens products

Trust: 0.8

sources: JVNDB: JVNDB-2022-018812

DESCRIPTION

A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions < V02.20.126.11-41), Desigo PXM50-1 (All versions < V02.20.126.11-41), Desigo PXM50.E (All versions < V02.20.126.11-41), PXG3.W100-1 (All versions < V02.20.126.11-37), PXG3.W100-2 (All versions < V02.20.126.11-41), PXG3.W200-1 (All versions < V02.20.126.11-37), PXG3.W200-2 (All versions < V02.20.126.11-41). The device embedded Chromium-based browser is launched as root with the “--no-sandbox” option. Attackers can add arbitrary JavaScript code inside “Operation” graphics and successfully exploit any number of publicly known vulnerabilities against the version of the embedded Chromium-based browser. desigo pxm30-1 firmware, desigo pxm30.e firmware, desigo pxm40-1 Multiple Siemens products, including firmware, contain an unnecessary privileged execution vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2022-40182 // JVNDB: JVNDB-2022-018812

AFFECTED PRODUCTS

vendor:	siemens	model:	desigo pxm40.e	scope:	lt	version:	02.20.126.11-41	Trust: 1.0
vendor:	siemens	model:	pxg3.w100-1	scope:	lt	version:	02.20.126.11-37	Trust: 1.0
vendor:	siemens	model:	desigo pxm30.e	scope:	lt	version:	02.20.126.11-41	Trust: 1.0
vendor:	siemens	model:	pxg3.w200-1	scope:	lt	version:	02.20.126.11-37	Trust: 1.0
vendor:	siemens	model:	desigo pxm50.e	scope:	lt	version:	02.20.126.11-41	Trust: 1.0
vendor:	siemens	model:	pxg3.w200-2	scope:	lt	version:	02.20.126.11-41	Trust: 1.0
vendor:	siemens	model:	desigo pxm40-1	scope:	lt	version:	02.20.126.11-41	Trust: 1.0
vendor:	siemens	model:	desigo pxm50-1	scope:	lt	version:	02.20.126.11-41	Trust: 1.0
vendor:	siemens	model:	pxg3.w100-2	scope:	lt	version:	02.20.126.11-41	Trust: 1.0
vendor:	siemens	model:	desigo pxm30-1	scope:	lt	version:	02.20.126.11-41	Trust: 1.0
vendor:	シーメンス	model:	pxg3.w100-2	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	desigo pxm30-1	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	pxg3.w100-1	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	desigo pxm50-1	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	desigo pxm50.e	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	desigo pxm30.e	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	desigo pxm40-1	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	desigo pxm40.e	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	pxg3.w200-1	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	pxg3.w200-2	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-018812 // NVD: CVE-2022-40182

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-40182
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-40182
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202210-502
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-40182
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2022-40182
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-018812 // CNNVD: CNNVD-202210-502 // NVD: CVE-2022-40182

PROBLEMTYPE DATA

problemtype:	CWE-250	Trust: 1.0
problemtype:	Execution with unnecessary privileges (CWE-250) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-018812 // NVD: CVE-2022-40182

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202210-502

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202210-502

PATCH

title:

Multiple Siemens Product security vulnerabilities

url:

http://123.124.177.30/web/xxk/bdxqById.tag?id=210584

Trust: 0.6

sources: CNNVD: CNNVD-202210-502

EXTERNAL IDS

db:	NVD	id:	CVE-2022-40182	Trust: 3.2
db:	SIEMENS	id:	SSA-360783	Trust: 2.4
db:	ICS CERT	id:	ICSA-22-286-06	Trust: 1.4
db:	JVN	id:	JVNVU92214181	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-018812	Trust: 0.8
db:	AUSCERT	id:	ESB-2022.5098	Trust: 0.6
db:	CNNVD	id:	CNNVD-202210-502	Trust: 0.6

sources: JVNDB: JVNDB-2022-018812 // CNNVD: CNNVD-202210-502 // NVD: CVE-2022-40182

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-360783.pdf	Trust: 2.4
url:	https://jvn.jp/vu/jvnvu92214181/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-40182	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-22-286-06	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2022.5098	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-286-06	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-40182/	Trust: 0.6

sources: JVNDB: JVNDB-2022-018812 // CNNVD: CNNVD-202210-502 // NVD: CVE-2022-40182

CREDITS

Siemens reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202210-502

SOURCES

db:	JVNDB	id:	JVNDB-2022-018812
db:	CNNVD	id:	CNNVD-202210-502
db:	NVD	id:	CVE-2022-40182

LAST UPDATE DATE

2024-08-14T12:23:25.450000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2022-018812	date:	2023-10-23T08:12:00
db:	CNNVD	id:	CNNVD-202210-502	date:	2022-10-17T00:00:00
db:	NVD	id:	CVE-2022-40182	date:	2022-10-12T15:45:40.070

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2022-018812	date:	2023-10-23T00:00:00
db:	CNNVD	id:	CNNVD-202210-502	date:	2022-10-11T00:00:00
db:	NVD	id:	CVE-2022-40182	date:	2022-10-11T11:15:10.823