Details of VAR-202202-0247

ID

VAR-202202-0247

CVE

CVE-2022-24316

TITLE

Interactive Graphical SCADA System Data Server Initialization vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2022-001365

DESCRIPTION

A CWE-665: Improper Initialization vulnerability exists that could cause information exposure when an attacker sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior). This vulnerability allows remote attackers to disclose sensitive information on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability.The specific flaw exists within the IGSSDataServer process, which listens on TCP port 12401 by default. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the IGSSDataServer process. Schneider Electric Interactive Graphical SCADA System (IGSS) is a set of SCADA (Data Acquisition and Supervisory Control System) systems used by Schneider Electric in France to monitor and control industrial processes

Trust: 2.79

sources: NVD: CVE-2022-24316 // JVNDB: JVNDB-2022-001365 // ZDI: ZDI-22-323 // CNVD: CNVD-2022-13065

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-13065

AFFECTED PRODUCTS

vendor:	schneider electric	model:	interactive graphical scada system data server	scope:	lte	version:	15.0.0.22020	Trust: 1.0
vendor:	schneider electric	model:	igss data server	scope:	lte	version:	15.0.0.22020 and earlier	Trust: 0.8
vendor:	schneider electric	model:	igss data server	scope:	eq	version:	-	Trust: 0.8
vendor:	schneider electric	model:	igss	scope:	-	version:	-	Trust: 0.7
vendor:	schneider	model:	electric interactive graphical scada system	scope:	lte	version:	<=15.0.0.22020	Trust: 0.6

sources: ZDI: ZDI-22-323 // CNVD: CNVD-2022-13065 // JVNDB: JVNDB-2022-001365 // NVD: CVE-2022-24316

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-24316
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-24316
value:	HIGH
Trust: 0.8
ZDI:	CVE-2022-24316
value:	MEDIUM
Trust: 0.7
CNVD:	CNVD-2022-13065
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202202-916
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-24316
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-13065
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-24316
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2022-24316
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2022-24316
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-22-323 // CNVD: CNVD-2022-13065 // JVNDB: JVNDB-2022-001365 // CNNVD: CNNVD-202202-916 // NVD: CVE-2022-24316

PROBLEMTYPE DATA

problemtype:	CWE-665	Trust: 1.0
problemtype:	Improper initialization (CWE-665) [ Other ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-001365 // NVD: CVE-2022-24316

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202202-916

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202202-916

PATCH

title:	SEVD-2022-039-01	url:	https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-01	Trust: 0.8
title:	-	url:	https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-01https://www.cisa.gov/uscert/ics/advisories/icsa-22-046-01	Trust: 0.7
title:	Patch for Schneider Electric Interactive Graphical SCADA System Initialization Error Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/321221	Trust: 0.6
title:	Interactive Graphical SCADA System Data Server Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=184125	Trust: 0.6

sources: ZDI: ZDI-22-323 // CNVD: CNVD-2022-13065 // JVNDB: JVNDB-2022-001365 // CNNVD: CNNVD-202202-916

EXTERNAL IDS

db:	NVD	id:	CVE-2022-24316	Trust: 4.5
db:	ZDI	id:	ZDI-22-323	Trust: 3.1
db:	SCHNEIDER	id:	SEVD-2022-039-01	Trust: 1.6
db:	ICS CERT	id:	ICSA-22-046-01	Trust: 1.4
db:	JVN	id:	JVNVU96061299	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-001365	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-15119	Trust: 0.7
db:	CNVD	id:	CNVD-2022-13065	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0676	Trust: 0.6
db:	CS-HELP	id:	SB2022021405	Trust: 0.6
db:	CNNVD	id:	CNNVD-202202-916	Trust: 0.6

sources: ZDI: ZDI-22-323 // CNVD: CNVD-2022-13065 // JVNDB: JVNDB-2022-001365 // CNNVD: CNNVD-202202-916 // NVD: CVE-2022-24316

REFERENCES

url:	https://www.zerodayinitiative.com/advisories/zdi-22-323/	Trust: 3.0
url:	https://nvd.nist.gov/vuln/detail/cve-2022-24316	Trust: 2.0
url:	https://download.schneider-electric.com/files?p_doc_ref=sevd-2022-039-01	Trust: 1.6
url:	https://jvn.jp/vu/jvnvu96061299/	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-046-01	Trust: 0.8
url:	https://download.schneider-electric.com/files?p_doc_ref=sevd-2022-039-01https://www.cisa.gov/uscert/ics/advisories/icsa-22-046-01	Trust: 0.7
url:	https://www.cybersecurity-help.cz/vdb/sb2022021405	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-046-01	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0676	Trust: 0.6

sources: ZDI: ZDI-22-323 // CNVD: CNVD-2022-13065 // JVNDB: JVNDB-2022-001365 // CNNVD: CNNVD-202202-916 // NVD: CVE-2022-24316

CREDITS

Vyacheslav Moskvin

Trust: 1.3

sources: ZDI: ZDI-22-323 // CNNVD: CNNVD-202202-916

SOURCES

db:	ZDI	id:	ZDI-22-323
db:	CNVD	id:	CNVD-2022-13065
db:	JVNDB	id:	JVNDB-2022-001365
db:	CNNVD	id:	CNNVD-202202-916
db:	NVD	id:	CVE-2022-24316

LAST UPDATE DATE

2024-11-23T21:50:42.616000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-22-323	date:	2023-09-20T00:00:00
db:	CNVD	id:	CNVD-2022-13065	date:	2022-02-22T00:00:00
db:	JVNDB	id:	JVNDB-2022-001365	date:	2022-02-17T05:04:00
db:	CNNVD	id:	CNNVD-202202-916	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2022-24316	date:	2024-11-21T06:50:09.420

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-22-323	date:	2022-02-11T00:00:00
db:	CNVD	id:	CNVD-2022-13065	date:	2022-02-22T00:00:00
db:	JVNDB	id:	JVNDB-2022-001365	date:	2022-02-17T00:00:00
db:	CNNVD	id:	CNNVD-202202-916	date:	2022-02-09T00:00:00
db:	NVD	id:	CVE-2022-24316	date:	2022-02-09T23:15:19.937