Sign-up

ID

VAR-202207-1071


CVE

CVE-2022-35872


TITLE

Inductive Automation  of  Ignition  Untrusted Data Deserialization Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-013798

DESCRIPTION

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ZIP files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17115. (DoS) It may be in a state. Inductive Automation Ignition‌ is a comprehensive platform for industrial automation that provides scalable solutions for monitoring, control, data collection, and analysis. The vulnerability is caused by insecure input validation when processing serialized data

Trust: 2.88

sources: NVD: CVE-2022-35872 // JVNDB: JVNDB-2022-013798 // ZDI: ZDI-22-1019 // CNVD: CNVD-2024-48767 // VULMON: CVE-2022-35872

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-48767

AFFECTED PRODUCTS

vendor:inductive automationmodel:ignitionscope: - version: -

Trust: 1.5

vendor:inductiveautomationmodel:ignitionscope:eqversion:8.1.15

Trust: 1.0

vendor:inductive automationmodel:ignitionscope:eqversion: -

Trust: 0.8

vendor:inductive automationmodel:ignitionscope:eqversion:8.1.15

Trust: 0.8

vendor:inductivemodel:automation inductive automation ignitionscope:gteversion:7.9.0,<=8.1.16

Trust: 0.6

sources: ZDI: ZDI-22-1019 // CNVD: CNVD-2024-48767 // JVNDB: JVNDB-2022-013798 // NVD: CVE-2022-35872

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com: CVE-2022-35872
value: HIGH

Trust: 1.0

nvd@nist.gov: CVE-2022-35872
value: HIGH

Trust: 1.0

NVD: CVE-2022-35872
value: HIGH

Trust: 0.8

ZDI: CVE-2022-35872
value: HIGH

Trust: 0.7

CNVD: CNVD-2024-48767
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202207-1489
value: HIGH

Trust: 0.6

CNVD: CNVD-2024-48767
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

zdi-disclosures@trendmicro.com: CVE-2022-35872
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2022-35872
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ZDI: CVE-2022-35872
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-22-1019 // CNVD: CNVD-2024-48767 // JVNDB: JVNDB-2022-013798 // CNNVD: CNNVD-202207-1489 // NVD: CVE-2022-35872 // NVD: CVE-2022-35872

PROBLEMTYPE DATA

problemtype:CWE-502

Trust: 1.0

problemtype:Deserialization of untrusted data (CWE-502) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-013798 // NVD: CVE-2022-35872

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202207-1489

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202207-1489

PATCH

title:Inductive Automation has issued an update to correct this vulnerability.url:https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities

Trust: 0.7

title:Patch for Inductive Automation Ignition Deserialization Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/644306

Trust: 0.6

title:Inductive Automation Ignition Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=201370

Trust: 0.6

sources: ZDI: ZDI-22-1019 // CNVD: CNVD-2024-48767 // CNNVD: CNNVD-202207-1489

EXTERNAL IDS

db:NVDid:CVE-2022-35872

Trust: 4.6

db:ZDIid:ZDI-22-1019

Trust: 3.2

db:CS-HELPid:SB2022071816

Trust: 1.2

db:JVNDBid:JVNDB-2022-013798

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-17115

Trust: 0.7

db:CNVDid:CNVD-2024-48767

Trust: 0.6

db:CNNVDid:CNNVD-202207-1489

Trust: 0.6

db:VULMONid:CVE-2022-35872

Trust: 0.1

sources: ZDI: ZDI-22-1019 // CNVD: CNVD-2024-48767 // VULMON: CVE-2022-35872 // JVNDB: JVNDB-2022-013798 // CNNVD: CNNVD-202207-1489 // NVD: CVE-2022-35872

REFERENCES

url:https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-regarding-pwn2own-2022-vulnerabilities

Trust: 3.2

url:https://www.zerodayinitiative.com/advisories/zdi-22-1019/

Trust: 2.5

url:https://www.cybersecurity-help.cz/vdb/sb2022071816

Trust: 1.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-35872

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-35872/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/502.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: ZDI: ZDI-22-1019 // CNVD: CNVD-2024-48767 // VULMON: CVE-2022-35872 // JVNDB: JVNDB-2022-013798 // CNNVD: CNNVD-202207-1489 // NVD: CVE-2022-35872

CREDITS

Piotr Bazydlo (@chudypb)

Trust: 0.7

sources: ZDI: ZDI-22-1019

SOURCES

db:ZDIid:ZDI-22-1019
db:CNVDid:CNVD-2024-48767
db:VULMONid:CVE-2022-35872
db:JVNDBid:JVNDB-2022-013798
db:CNNVDid:CNNVD-202207-1489
db:NVDid:CVE-2022-35872

LAST UPDATE DATE

2024-12-21T22:55:55.495000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-1019date:2022-07-15T00:00:00
db:CNVDid:CNVD-2024-48767date:2024-12-20T00:00:00
db:VULMONid:CVE-2022-35872date:2022-07-26T00:00:00
db:JVNDBid:JVNDB-2022-013798date:2023-09-12T08:18:00
db:CNNVDid:CNNVD-202207-1489date:2022-08-04T00:00:00
db:NVDid:CVE-2022-35872date:2022-08-03T16:50:30.437

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-1019date:2022-07-15T00:00:00
db:CNVDid:CNVD-2024-48767date:2022-12-26T00:00:00
db:VULMONid:CVE-2022-35872date:2022-07-25T00:00:00
db:JVNDBid:JVNDB-2022-013798date:2023-09-12T00:00:00
db:CNNVDid:CNNVD-202207-1489date:2022-07-18T00:00:00
db:NVDid:CVE-2022-35872date:2022-07-25T19:15:46.600