Details of VAR-202202-0243

ID

VAR-202202-0243

CVE

CVE-2022-24317

TITLE

Interactive Graphical SCADA System Data Server Vulnerability regarding lack of authentication in

Trust: 0.8

sources: JVNDB: JVNDB-2022-005333

DESCRIPTION

A CWE-862: Missing Authorization vulnerability exists that could cause information exposure when an attacker sends a specific message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior). This vulnerability allows remote attackers to disclose sensitive information on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability.The specific flaw exists within the IGSSDataServer process, which listens on TCP port 12401 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose information from the IGSS application. Schneider Electric Interactive Graphical SCADA System (IGSS) is a set of SCADA (Data Acquisition and Supervisory Control System) systems used by Schneider Electric in France to monitor and control industrial processes

Trust: 2.79

sources: NVD: CVE-2022-24317 // JVNDB: JVNDB-2022-005333 // ZDI: ZDI-22-324 // CNVD: CNVD-2022-13072

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-13072

AFFECTED PRODUCTS

vendor:	schneider electric	model:	interactive graphical scada system data server	scope:	lte	version:	15.0.0.22020	Trust: 1.0
vendor:	schneider electric	model:	igss data server	scope:	eq	version:	-	Trust: 0.8
vendor:	schneider electric	model:	igss data server	scope:	lte	version:	15.0.0.22020 and earlier	Trust: 0.8
vendor:	schneider electric	model:	igss	scope:	-	version:	-	Trust: 0.7
vendor:	schneider	model:	electric interactive graphical scada system	scope:	lte	version:	<=15.0.0.22020	Trust: 0.6

sources: ZDI: ZDI-22-324 // CNVD: CNVD-2022-13072 // JVNDB: JVNDB-2022-005333 // NVD: CVE-2022-24317

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-24317
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-24317
value:	HIGH
Trust: 0.8
ZDI:	CVE-2022-24317
value:	MEDIUM
Trust: 0.7
CNVD:	CNVD-2022-13072
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202202-917
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-24317
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-13072
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-24317
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2022-24317
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2022-24317
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-22-324 // CNVD: CNVD-2022-13072 // JVNDB: JVNDB-2022-005333 // CNNVD: CNNVD-202202-917 // NVD: CVE-2022-24317

PROBLEMTYPE DATA

problemtype:	CWE-862	Trust: 1.0
problemtype:	Lack of authentication (CWE-862) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-005333 // NVD: CVE-2022-24317

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202202-917

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202202-917

PATCH

title:	SEVD-2022-039-01	url:	https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-01	Trust: 0.8
title:	-	url:	https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-01https://www.cisa.gov/uscert/ics/advisories/icsa-22-046-01	Trust: 0.7
title:	Patch for Schneider Electric Interactive Graphical SCADA System Authorization Issue Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/321161	Trust: 0.6
title:	Schneider Electric Interactive Graphical SCADA System Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=182724	Trust: 0.6

sources: ZDI: ZDI-22-324 // CNVD: CNVD-2022-13072 // JVNDB: JVNDB-2022-005333 // CNNVD: CNNVD-202202-917

EXTERNAL IDS

db:	NVD	id:	CVE-2022-24317	Trust: 4.5
db:	ZDI	id:	ZDI-22-324	Trust: 3.1
db:	SCHNEIDER	id:	SEVD-2022-039-01	Trust: 2.2
db:	ICS CERT	id:	ICSA-22-046-01	Trust: 1.4
db:	JVN	id:	JVNVU96061299	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-005333	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-15193	Trust: 0.7
db:	CNVD	id:	CNVD-2022-13072	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0676	Trust: 0.6
db:	CS-HELP	id:	SB2022021405	Trust: 0.6
db:	CNNVD	id:	CNNVD-202202-917	Trust: 0.6

sources: ZDI: ZDI-22-324 // CNVD: CNVD-2022-13072 // JVNDB: JVNDB-2022-005333 // CNNVD: CNNVD-202202-917 // NVD: CVE-2022-24317

REFERENCES

url:	https://www.zerodayinitiative.com/advisories/zdi-22-324/	Trust: 3.0
url:	https://download.schneider-electric.com/files?p_doc_ref=sevd-2022-039-01	Trust: 2.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-24317	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu96061299/	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-22-046-01	Trust: 0.8
url:	https://download.schneider-electric.com/files?p_doc_ref=sevd-2022-039-01https://www.cisa.gov/uscert/ics/advisories/icsa-22-046-01	Trust: 0.7
url:	https://www.cybersecurity-help.cz/vdb/sb2022021405	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-046-01	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0676	Trust: 0.6

sources: ZDI: ZDI-22-324 // CNVD: CNVD-2022-13072 // JVNDB: JVNDB-2022-005333 // CNNVD: CNNVD-202202-917 // NVD: CVE-2022-24317

CREDITS

Vyacheslav Moskvin

Trust: 1.3

sources: ZDI: ZDI-22-324 // CNNVD: CNNVD-202202-917

SOURCES

db:	ZDI	id:	ZDI-22-324
db:	CNVD	id:	CNVD-2022-13072
db:	JVNDB	id:	JVNDB-2022-005333
db:	CNNVD	id:	CNNVD-202202-917
db:	NVD	id:	CVE-2022-24317

LAST UPDATE DATE

2024-11-23T21:50:42.743000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-22-324	date:	2023-09-20T00:00:00
db:	CNVD	id:	CNVD-2022-13072	date:	2022-02-22T00:00:00
db:	JVNDB	id:	JVNDB-2022-005333	date:	2023-05-29T00:04:00
db:	CNNVD	id:	CNNVD-202202-917	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2022-24317	date:	2024-11-21T06:50:09.527

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-22-324	date:	2022-02-11T00:00:00
db:	CNVD	id:	CNVD-2022-13072	date:	2022-02-22T00:00:00
db:	JVNDB	id:	JVNDB-2022-005333	date:	2023-05-29T00:00:00
db:	CNNVD	id:	CNNVD-202202-917	date:	2022-02-09T00:00:00
db:	NVD	id:	CVE-2022-24317	date:	2022-02-09T23:15:19.990