Sign-up

ID

VAR-202202-0307


CVE

CVE-2022-21798


TITLE

GE Digital  Made  Proficy CIMPLICITY  Vulnerability of plaintext communication of sensitive information in

Trust: 0.8

sources: JVNDB: JVNDB-2022-001376

DESCRIPTION

The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system. GE Digital Provided by the company HMI and SCADA Is a platform Proficy CIMPLICITY There is a vulnerability in plaintext communication of sensitive information ( CWE-319 , CVE-2022-21798 ) Exists. CIMPLICITY Authentication information is communicated in clear text on the network.Authentication information sent in clear text may be stolen and the device may be manipulated illegally. GE CIMPLICITY is a client (server)-based HMI (SCADA) solution from General Electric (GE) in the United States. The solution can collect and share real-time and historical data between all levels of the enterprise, realizing process, equipment, Operational visualization of resource monitoring. There is an information leakage vulnerability in GEProficy CIMPLICITY. An attacker can use this vulnerability to log in to the system and perform unauthorized operations

Trust: 2.16

sources: NVD: CVE-2022-21798 // JVNDB: JVNDB-2022-001376 // CNVD: CNVD-2023-98795

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2023-98795

AFFECTED PRODUCTS

vendor:gemodel:cimplicityscope:eqversion:*

Trust: 1.0

vendor:ge デジタルmodel:proficy cimplicityscope:eqversion:all s

Trust: 0.8

vendor:ge デジタルmodel:proficy cimplicityscope:eqversion: -

Trust: 0.8

vendor:gemodel:proficy cimplicityscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2023-98795 // JVNDB: JVNDB-2022-001376 // NVD: CVE-2022-21798

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-21798
value: CRITICAL

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-21798
value: HIGH

Trust: 1.0

OTHER: JVNDB-2022-001376
value: HIGH

Trust: 0.8

CNVD: CNVD-2023-98795
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202202-1761
value: CRITICAL

Trust: 0.6

NVD:
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

CNVD: CNVD-2023-98795
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

NVD:
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov:
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT_NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.6
impactScore: 5.9
version: 3.1

Trust: 1.0

OTHER: JVNDB-2022-001376
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2023-98795 // JVNDB: JVNDB-2022-001376 // NVD: CVE-2022-21798 // NVD: CVE-2022-21798 // CNNVD: CNNVD-202202-1761

PROBLEMTYPE DATA

problemtype:CWE-319

Trust: 1.0

problemtype:Sending important information in clear text (CWE-319) [ Other ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-001376 // NVD: CVE-2022-21798

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202202-1761

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202202-1761

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2022-21798

PATCH
title:Secure Deployment Guide (Login required)  GE Digitalurl:https://digitalsupport.ge.com/communities/cc_login?starturl=%2fen_us%2fdocumentation%2fifix-secure-deployment-guide
Trust: 0.8
title:Patch for GE Proficy CIMPLICITY information leakage vulnerabilityurl:https://www.cnvd.org.cn/patchinfo/show/358056
Trust: 0.6
title:General Electric Proficy Cimplicity Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=185279
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2023-98795 // 
            
            
            
            JVNDB: JVNDB-2022-001376 // 
            
            
            
            CNNVD: CNNVD-202202-1761

EXTERNAL IDS
db:NVDid:CVE-2022-21798
Trust: 3.0
db:ICS CERTid:ICSA-22-053-02
Trust: 2.4
db:JVNid:JVNVU96846804
Trust: 0.8
db:JVNDBid:JVNDB-2022-001376
Trust: 0.8
db:CNVDid:CNVD-2023-98795
Trust: 0.6
db:AUSCERTid:ESB-2022.0787
Trust: 0.6
db:CS-HELPid:SB2022022305
Trust: 0.6
db:CNNVDid:CNNVD-202202-1761
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2023-98795 // 
            
            
            
            JVNDB: JVNDB-2022-001376 // 
            
            
            
            NVD: CVE-2022-21798 // 
            
            
            
            CNNVD: CNNVD-202202-1761

REFERENCES
url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-02
Trust: 2.4
url:https://nvd.nist.gov/vuln/detail/cve-2022-21798
Trust: 1.2
url:https://jvn.jp/vu/jvnvu96846804/
Trust: 0.8
url:https://cxsecurity.com/cveshow/cve-2022-21798/
Trust: 0.6
url:https://www.cybersecurity-help.cz/vdb/sb2022022305
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2022.0787
Trust: 0.6
url:https://us-cert.cisa.gov/ics/advisories/icsa-22-053-02
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2023-98795 // 
            
            
            
            JVNDB: JVNDB-2022-001376 // 
            
            
            
            NVD: CVE-2022-21798 // 
            
            
            
            CNNVD: CNNVD-202202-1761

CREDITS
Users are advised to refer to the
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202202-1761

SOURCES
db:CNVDid:CNVD-2023-98795
db:JVNDBid:JVNDB-2022-001376
db:NVDid:CVE-2022-21798
db:CNNVDid:CNNVD-202202-1761

LAST UPDATE DATE
2023-12-21T22:02:59.477000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2023-98795date:2023-12-19T00:00:00
db:JVNDBid:JVNDB-2022-001376date:2022-02-28T07:33:00
db:NVDid:CVE-2022-21798date:2022-03-08T15:38:39.317
db:CNNVDid:CNNVD-202202-1761date:2022-03-09T00:00:00

SOURCES RELEASE DATE
db:CNVDid:CNVD-2023-98795date:2022-10-20T00:00:00
db:JVNDBid:JVNDB-2022-001376date:2022-02-28T00:00:00
db:NVDid:CVE-2022-21798date:2022-02-25T19:15:23.723
db:CNNVDid:CNNVD-202202-1761date:2022-02-22T00:00:00