Details of VAR-202202-0245

ID

VAR-202202-0245

CVE

CVE-2022-24315

TITLE

Interactive Graphical SCADA System Data Server Out-of-bounds read vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-001366

DESCRIPTION

A CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service when an attacker repeatedly sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior). This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability.The specific flaw exists within the IGSSDataServer process, which listens on TCP port 12401 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to create a denial-of-service condition on the IGSS application. Schneider Electric Interactive Graphical SCADA System (IGSS) is a set of SCADA (Data Acquisition and Supervisory Control System) systems used by Schneider Electric in France to monitor and control industrial processes

Trust: 2.79

sources: NVD: CVE-2022-24315 // JVNDB: JVNDB-2022-001366 // ZDI: ZDI-22-322 // CNVD: CNVD-2022-13071

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-13071

AFFECTED PRODUCTS

vendor:	schneider electric	model:	interactive graphical scada system data server	scope:	lte	version:	15.0.0.22020	Trust: 1.0
vendor:	schneider electric	model:	igss data server	scope:	lte	version:	15.0.0.22020 and earlier	Trust: 0.8
vendor:	schneider electric	model:	igss data server	scope:	eq	version:	-	Trust: 0.8
vendor:	schneider electric	model:	igss	scope:	-	version:	-	Trust: 0.7
vendor:	schneider	model:	electric interactive graphical scada system	scope:	lte	version:	<=15.0.0.22020	Trust: 0.6

sources: ZDI: ZDI-22-322 // CNVD: CNVD-2022-13071 // JVNDB: JVNDB-2022-001366 // NVD: CVE-2022-24315

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-24315
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-24315
value:	HIGH
Trust: 0.8
ZDI:	CVE-2022-24315
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2022-13071
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202202-915
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-24315
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-13071
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-24315
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2022-24315
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2022-24315
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-22-322 // CNVD: CNVD-2022-13071 // JVNDB: JVNDB-2022-001366 // CNNVD: CNNVD-202202-915 // NVD: CVE-2022-24315

PROBLEMTYPE DATA

problemtype:	CWE-125	Trust: 1.0
problemtype:	Out-of-bounds read (CWE-125) [ Other ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-001366 // NVD: CVE-2022-24315

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202202-915

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202202-915

PATCH

title:	SEVD-2022-039-01	url:	https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-01	Trust: 1.5
title:	Patch for Schneider Electric Interactive Graphical SCADA System Out-of-bounds Read Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/321166	Trust: 0.6
title:	Schneider Electric Interactive Graphical SCADA System Buffer error vulnerability fix	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=181837	Trust: 0.6

sources: ZDI: ZDI-22-322 // CNVD: CNVD-2022-13071 // JVNDB: JVNDB-2022-001366 // CNNVD: CNNVD-202202-915

EXTERNAL IDS

db:	NVD	id:	CVE-2022-24315	Trust: 4.5
db:	ZDI	id:	ZDI-22-322	Trust: 3.1
db:	SCHNEIDER	id:	SEVD-2022-039-01	Trust: 2.2
db:	ICS CERT	id:	ICSA-22-046-01	Trust: 1.4
db:	JVN	id:	JVNVU96061299	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-001366	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-15118	Trust: 0.7
db:	CNVD	id:	CNVD-2022-13071	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0676	Trust: 0.6
db:	CS-HELP	id:	SB2022021405	Trust: 0.6
db:	CNNVD	id:	CNNVD-202202-915	Trust: 0.6

sources: ZDI: ZDI-22-322 // CNVD: CNVD-2022-13071 // JVNDB: JVNDB-2022-001366 // CNNVD: CNNVD-202202-915 // NVD: CVE-2022-24315

REFERENCES

url:	https://www.zerodayinitiative.com/advisories/zdi-22-322/	Trust: 3.0
url:	https://download.schneider-electric.com/files?p_doc_ref=sevd-2022-039-01	Trust: 2.9
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-046-01	Trust: 1.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-24315	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu96061299/	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2022021405	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-046-01	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0676	Trust: 0.6

sources: ZDI: ZDI-22-322 // CNVD: CNVD-2022-13071 // JVNDB: JVNDB-2022-001366 // CNNVD: CNNVD-202202-915 // NVD: CVE-2022-24315

CREDITS

Vyacheslav Moskvin

Trust: 1.3

sources: ZDI: ZDI-22-322 // CNNVD: CNNVD-202202-915

SOURCES

db:	ZDI	id:	ZDI-22-322
db:	CNVD	id:	CNVD-2022-13071
db:	JVNDB	id:	JVNDB-2022-001366
db:	CNNVD	id:	CNNVD-202202-915
db:	NVD	id:	CVE-2022-24315

LAST UPDATE DATE

2024-11-23T21:50:42.648000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-22-322	date:	2023-09-20T00:00:00
db:	CNVD	id:	CNVD-2022-13071	date:	2022-06-13T00:00:00
db:	JVNDB	id:	JVNDB-2022-001366	date:	2022-02-17T05:11:00
db:	CNNVD	id:	CNNVD-202202-915	date:	2022-02-17T00:00:00
db:	NVD	id:	CVE-2022-24315	date:	2024-11-21T06:50:09.320

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-22-322	date:	2022-02-11T00:00:00
db:	CNVD	id:	CNVD-2022-13071	date:	2022-02-22T00:00:00
db:	JVNDB	id:	JVNDB-2022-001366	date:	2022-02-17T00:00:00
db:	CNNVD	id:	CNNVD-202202-915	date:	2022-02-09T00:00:00
db:	NVD	id:	CVE-2022-24315	date:	2022-02-09T23:15:19.887