Sign-up

ID

VAR-202208-1663


CVE

CVE-2022-2660


TITLE

Delta Electronics  Made  DIALink  Vulnerability of using hard-coded encryption keys in

Trust: 0.8

sources: JVNDB: JVNDB-2022-002361

DESCRIPTION

Delta Industrial Automation DIALink versions 1.4.0.0 and prior are vulnerable to the use of a hard-coded cryptographic key which could allow an attacker to decrypt sensitive data and compromise the machine. Delta Electronics Provided by the company DIALink contains the following vulnerabilities: * Using hardcoded encryption keys (CWE-321) - CVE-2022-2660If the vulnerability is exploited, it may be affected as follows. It was * Sensitive encrypted data stored on the device may be decrypted by a remote third party. This vulnerability allows remote attackers to bypass authentication on affected installations of Delta Industrial Automation DIALink. Authentication is not required to exploit this vulnerability.The specific flaw exists within the authorization of requests to the server. The issue results from hardcoding crytographic keys within the product. An attacker can leverage this vulnerability to bypass authentication on the system. Delta Electronics Industrial Automation DIALink is an industrial automation IoT device from Delta Electronics, Taiwan, China

Trust: 2.79

sources: NVD: CVE-2022-2660 // JVNDB: JVNDB-2022-002361 // ZDI: ZDI-22-1166 // CNNVD: CNNVD-202208-3794

AFFECTED PRODUCTS

vendor:deltawwmodel:dialinkscope:lteversion:1.4.0.0

Trust: 1.0

vendor:deltamodel:dialinkscope:eqversion: -

Trust: 0.8

vendor:deltamodel:dialinkscope:lteversion:v1.4.0.0 and earlier

Trust: 0.8

vendor:deltamodel:dialinkscope: - version: -

Trust: 0.7

sources: ZDI: ZDI-22-1166 // JVNDB: JVNDB-2022-002361 // NVD: CVE-2022-2660

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-2660
value: HIGH

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2660
value: CRITICAL

Trust: 1.0

NVD: CVE-2022-2660
value: HIGH

Trust: 0.8

ZDI: CVE-2022-2660
value: CRITICAL

Trust: 0.7

CNNVD: CNNVD-202208-3794
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-2660
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2660
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-2660
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2022-2660
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-22-1166 // JVNDB: JVNDB-2022-002361 // CNNVD: CNNVD-202208-3794 // NVD: CVE-2022-2660 // NVD: CVE-2022-2660

PROBLEMTYPE DATA

problemtype:CWE-321

Trust: 1.0

problemtype:CWE-798

Trust: 1.0

problemtype:Using hardcoded encryption keys (CWE-321) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-002361 // NVD: CVE-2022-2660

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202208-3794

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202208-3794

PATCH

title:Contact Usurl:https://www.deltaww.com/en/customerService

Trust: 0.8

title:Delta Electronics has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-235-02

Trust: 0.7

title:Delta Electronics Industrial Automation DIALink Repair measures for trust management problem vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=217984

Trust: 0.6

sources: ZDI: ZDI-22-1166 // JVNDB: JVNDB-2022-002361 // CNNVD: CNNVD-202208-3794

EXTERNAL IDS

db:NVDid:CVE-2022-2660

Trust: 4.0

db:ICS CERTid:ICSA-22-235-02

Trust: 2.5

db:JVNid:JVNVU99763068

Trust: 0.8

db:JVNDBid:JVNDB-2022-002361

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-16889

Trust: 0.7

db:ZDIid:ZDI-22-1166

Trust: 0.7

db:CNNVDid:CNNVD-202208-3794

Trust: 0.6

db:VULMONid:CVE-2022-2660

Trust: 0.1

sources: ZDI: ZDI-22-1166 // VULMON: CVE-2022-2660 // JVNDB: JVNDB-2022-002361 // CNNVD: CNNVD-202208-3794 // NVD: CVE-2022-2660

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-235-02

Trust: 3.2

url:http://jvn.jp/vu/jvnvu99763068/index.html

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-2660

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-2660/

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-235-02

Trust: 0.6

sources: ZDI: ZDI-22-1166 // VULMON: CVE-2022-2660 // JVNDB: JVNDB-2022-002361 // CNNVD: CNNVD-202208-3794 // NVD: CVE-2022-2660

CREDITS

Y4er

Trust: 0.7

sources: ZDI: ZDI-22-1166

SOURCES

db:ZDIid:ZDI-22-1166
db:VULMONid:CVE-2022-2660
db:JVNDBid:JVNDB-2022-002361
db:CNNVDid:CNNVD-202208-3794
db:NVDid:CVE-2022-2660

LAST UPDATE DATE

2024-08-14T14:37:20.383000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-1166date:2022-08-24T00:00:00
db:JVNDBid:JVNDB-2022-002361date:2024-05-31T09:14:00
db:CNNVDid:CNNVD-202208-3794date:2022-12-19T00:00:00
db:NVDid:CVE-2022-2660date:2023-11-07T03:46:50.010

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-1166date:2022-08-24T00:00:00
db:JVNDBid:JVNDB-2022-002361date:2022-09-08T00:00:00
db:CNNVDid:CNNVD-202208-3794date:2022-08-23T00:00:00
db:NVDid:CVE-2022-2660date:2022-12-13T22:15:09.910