Sign-up

ID

VAR-202407-0046


CVE

CVE-2024-4708


TITLE

mySCADA myPRO Hard-Coded Credentials Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-24-1226

DESCRIPTION

mySCADA myPRO uses a hard-coded password which could allow an attacker to remotely execute code on the affected device. Authentication is not required to exploit this vulnerability.The specific flaw exists within the telnet service, which listens on TCP port 5005 by default. The issue results from the use of hard-coded credentials. mySCADA myPRO is an application software. myPRO is a professional HMI/SCADA system designed primarily for visualization and control of industrial processes

Trust: 2.07

sources: NVD: CVE-2024-4708 // ZDI: ZDI-24-1226 // CNVD: CNVD-2024-46410

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-46410

AFFECTED PRODUCTS

vendor:myscadamodel:myproscope:ltversion:8.31.0

Trust: 1.6

vendor:myscadamodel:myproscope: - version: -

Trust: 0.7

sources: ZDI: ZDI-24-1226 // CNVD: CNVD-2024-46410 // NVD: CVE-2024-4708

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2024-4708
value: CRITICAL

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2024-4708
value: CRITICAL

Trust: 1.0

ZDI: CVE-2024-4708
value: CRITICAL

Trust: 0.7

CNVD: CNVD-2024-46410
value: HIGH

Trust: 0.6

CNVD: CNVD-2024-46410
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2024-4708
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 2.0

ZDI: CVE-2024-4708
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-24-1226 // CNVD: CNVD-2024-46410 // NVD: CVE-2024-4708 // NVD: CVE-2024-4708

PROBLEMTYPE DATA

problemtype:CWE-259

Trust: 1.0

problemtype:CWE-798

Trust: 1.0

sources: NVD: CVE-2024-4708

PATCH

title:mySCADA has issued an update to correct this vulnerability.url:https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-02

Trust: 0.7

title:Patch for mySCADA myPRO Trust Management Issue Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/634291

Trust: 0.6

sources: ZDI: ZDI-24-1226 // CNVD: CNVD-2024-46410

EXTERNAL IDS

db:NVDid:CVE-2024-4708

Trust: 2.3

db:ICS CERTid:ICSA-24-184-02

Trust: 1.6

db:ZDI_CANid:ZDI-CAN-23546

Trust: 0.7

db:ZDIid:ZDI-24-1226

Trust: 0.7

db:CNVDid:CNVD-2024-46410

Trust: 0.6

sources: ZDI: ZDI-24-1226 // CNVD: CNVD-2024-46410 // NVD: CVE-2024-4708

REFERENCES

url:https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-02

Trust: 2.3

url:https://www.myscada.org/mypro/

Trust: 1.0

sources: ZDI: ZDI-24-1226 // CNVD: CNVD-2024-46410 // NVD: CVE-2024-4708

CREDITS

Nassim Asrir

Trust: 0.7

sources: ZDI: ZDI-24-1226

SOURCES

db:ZDIid:ZDI-24-1226
db:CNVDid:CNVD-2024-46410
db:NVDid:CVE-2024-4708

LAST UPDATE DATE

2024-11-29T23:04:10.837000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-24-1226date:2024-09-13T00:00:00
db:CNVDid:CNVD-2024-46410date:2024-11-28T00:00:00
db:NVDid:CVE-2024-4708date:2024-08-29T19:31:56.517

SOURCES RELEASE DATE

db:ZDIid:ZDI-24-1226date:2024-09-13T00:00:00
db:CNVDid:CNVD-2024-46410date:2024-11-28T00:00:00
db:NVDid:CVE-2024-4708date:2024-07-02T23:15:10.860