Sign-up

ID

VAR-202201-0616


CVE

CVE-2022-22722


TITLE

Schneider Electric Easergy P5 Trust Management Issue Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2022-70096 // CNNVD: CNNVD-202201-943

DESCRIPTION

A CWE-798: Use of Hard-coded Credentials vulnerability exists that could result in information disclosure. If an attacker were to obtain the SSH cryptographic key for the device and take active control of the local operational network connected to the product they could potentially observe and manipulate traffic associated with product configuration. Affected Product: Easergy P5 (All firmware versions prior to V01.401.101). Easergy P5 Is vulnerable to the use of hard-coded credentials.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Schneider Electric Easergy P5 is a protection relay from Schneider Electric in France for demanding medium voltage applications. The Schneider Electric Easergy P5 has a trust management issue vulnerability that exists due to the presence of hardcoded credentials in the application code

Trust: 2.25

sources: NVD: CVE-2022-22722 // JVNDB: JVNDB-2022-001377 // CNVD: CNVD-2022-70096 // VULMON: CVE-2022-22722

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-70096

AFFECTED PRODUCTS

vendor:schneider electricmodel:easergy p5scope:ltversion:01.401.101

Trust: 1.0

vendor:schneider electricmodel:easergy p5scope:eqversion: -

Trust: 0.8

vendor:schneider electricmodel:easergy p5scope:eqversion:easergy p5 firmware 01.401.101

Trust: 0.8

vendor:schneidermodel:electric easergy p5scope:ltversion:01.401.101

Trust: 0.6

sources: CNVD: CNVD-2022-70096 // JVNDB: JVNDB-2022-001377 // NVD: CVE-2022-22722

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-22722
value: HIGH

Trust: 1.0

NVD: CVE-2022-22722
value: HIGH

Trust: 0.8

CNVD: CNVD-2022-70096
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202201-943
value: HIGH

Trust: 0.6

VULMON: CVE-2022-22722
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-22722
severity: MEDIUM
baseScore: 5.4
vectorString: AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2022-70096
severity: MEDIUM
baseScore: 5.4
vectorString: AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2022-22722
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.6
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-22722
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-70096 // VULMON: CVE-2022-22722 // JVNDB: JVNDB-2022-001377 // CNNVD: CNNVD-202201-943 // NVD: CVE-2022-22722

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.0

problemtype:Using hardcoded credentials (CWE-798) [ Other ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-001377 // NVD: CVE-2022-22722

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202201-943

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202201-943

PATCH

title:SEVD-2022-011-03url:https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-03

Trust: 0.8

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: VULMON: CVE-2022-22722 // JVNDB: JVNDB-2022-001377

EXTERNAL IDS

db:NVDid:CVE-2022-22722

Trust: 3.9

db:SCHNEIDERid:SEVD-2022-011-03

Trust: 1.7

db:ICS CERTid:ICSA-22-055-03

Trust: 1.5

db:JVNid:JVNVU95341726

Trust: 0.8

db:JVNDBid:JVNDB-2022-001377

Trust: 0.8

db:CNVDid:CNVD-2022-70096

Trust: 0.6

db:CS-HELPid:SB2022011209

Trust: 0.6

db:AUSCERTid:ESB-2022.0825

Trust: 0.6

db:CNNVDid:CNNVD-202201-943

Trust: 0.6

db:VULMONid:CVE-2022-22722

Trust: 0.1

sources: CNVD: CNVD-2022-70096 // VULMON: CVE-2022-22722 // JVNDB: JVNDB-2022-001377 // CNNVD: CNNVD-202201-943 // NVD: CVE-2022-22722

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2022-22722

Trust: 2.0

url:https://download.schneider-electric.com/files?p_doc_ref=sevd-2022-011-03

Trust: 1.7

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-055-03

Trust: 0.9

url:http://jvn.jp/vu/jvnvu95341726/index.html

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022011209

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.0825

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-055-03

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/798.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/alphabugx/cve-2022-23305

Trust: 0.1

sources: CNVD: CNVD-2022-70096 // VULMON: CVE-2022-22722 // JVNDB: JVNDB-2022-001377 // CNNVD: CNNVD-202201-943 // NVD: CVE-2022-22722

CREDITS

Paul Noalhyt, and Yuanzhe Wu at Red Balloon Security reported these vulnerabilities to CISA.,Timothée Chauvin

Trust: 0.6

sources: CNNVD: CNNVD-202201-943

SOURCES

db:CNVDid:CNVD-2022-70096
db:VULMONid:CVE-2022-22722
db:JVNDBid:JVNDB-2022-001377
db:CNNVDid:CNNVD-202201-943
db:NVDid:CVE-2022-22722

LAST UPDATE DATE

2024-11-23T21:33:12.455000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-70096date:2022-10-20T00:00:00
db:VULMONid:CVE-2022-22722date:2022-02-10T00:00:00
db:JVNDBid:JVNDB-2022-001377date:2022-02-28T08:50:00
db:CNNVDid:CNNVD-202201-943date:2022-02-28T00:00:00
db:NVDid:CVE-2022-22722date:2024-11-21T06:47:19.423

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-70096date:2022-10-21T00:00:00
db:VULMONid:CVE-2022-22722date:2022-02-04T00:00:00
db:JVNDBid:JVNDB-2022-001377date:2022-02-28T00:00:00
db:CNNVDid:CNNVD-202201-943date:2022-01-12T00:00:00
db:NVDid:CVE-2022-22722date:2022-02-04T23:15:13.067