Sign-up

ID

VAR-202302-0668


CVE

CVE-2023-22804


TITLE

ls-electric  of  xbc-dn32u  Vulnerability related to lack of authentication for critical functions in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2023-004161

DESCRIPTION

LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication to create users on the PLC. This could allow an attacker to create and use an account with elevated privileges and take control of the device. ls-electric of xbc-dn32u Firmware has a lack of authentication vulnerability for critical functionality.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. LS ELECTRIC XBC-DN32U is a PLC programmable logic controller produced by LS ELECTRIC in Korea

Trust: 2.25

sources: NVD: CVE-2023-22804 // JVNDB: JVNDB-2023-004161 // CNVD: CNVD-2023-21678 // VULMON: CVE-2023-22804

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2023-21678

AFFECTED PRODUCTS

vendor:ls electricmodel:xbc-dn32uscope:eqversion:01.80

Trust: 1.0

vendor:ls electricmodel:xbc-dn32uscope:eqversion:xbc-dn32u firmware 01.80

Trust: 0.8

vendor:ls electricmodel:xbc-dn32uscope:eqversion: -

Trust: 0.8

vendor:ls electricmodel:xbc-dn32uscope: - version: -

Trust: 0.8

vendor:lsmodel:electric xbc-dn32uscope:eqversion:01.80

Trust: 0.6

sources: CNVD: CNVD-2023-21678 // JVNDB: JVNDB-2023-004161 // NVD: CVE-2023-22804

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-22804
value: CRITICAL

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2023-22804
value: CRITICAL

Trust: 1.0

NVD: CVE-2023-22804
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2023-21678
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202302-1274
value: CRITICAL

Trust: 0.6

CNVD: CNVD-2023-21678
severity: HIGH
baseScore: 9.4
vectorString: AV:N/AC:L/AU:N/C:N/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2023-22804
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2023-22804
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.2
version: 3.1

Trust: 1.0

NVD: CVE-2023-22804
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2023-21678 // JVNDB: JVNDB-2023-004161 // CNNVD: CNNVD-202302-1274 // NVD: CVE-2023-22804 // NVD: CVE-2023-22804

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.0

problemtype:Lack of authentication for critical features (CWE-306) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-004161 // NVD: CVE-2023-22804

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202302-1274

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202302-1274

EXTERNAL IDS

db:NVDid:CVE-2023-22804

Trust: 3.9

db:ICS CERTid:ICSA-23-040-02

Trust: 3.1

db:JVNid:JVNVU97136726

Trust: 0.8

db:JVNDBid:JVNDB-2023-004161

Trust: 0.8

db:CNVDid:CNVD-2023-21678

Trust: 0.6

db:CNNVDid:CNNVD-202302-1274

Trust: 0.6

db:VULMONid:CVE-2023-22804

Trust: 0.1

sources: CNVD: CNVD-2023-21678 // VULMON: CVE-2023-22804 // JVNDB: JVNDB-2023-004161 // CNNVD: CNNVD-202302-1274 // NVD: CVE-2023-22804

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-02

Trust: 3.1

url:https://jvn.jp/vu/jvnvu97136726/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2023-22804

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2023-22804/

Trust: 0.6

sources: CNVD: CNVD-2023-21678 // VULMON: CVE-2023-22804 // JVNDB: JVNDB-2023-004161 // CNNVD: CNNVD-202302-1274 // NVD: CVE-2023-22804

SOURCES

db:CNVDid:CNVD-2023-21678
db:VULMONid:CVE-2023-22804
db:JVNDBid:JVNDB-2023-004161
db:CNNVDid:CNNVD-202302-1274
db:NVDid:CVE-2023-22804

LAST UPDATE DATE

2024-08-14T13:42:05.076000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2023-21678date:2023-03-29T00:00:00
db:JVNDBid:JVNDB-2023-004161date:2023-10-26T05:00:00
db:CNNVDid:CNNVD-202302-1274date:2023-02-27T00:00:00
db:NVDid:CVE-2023-22804date:2023-11-07T04:07:25.270

SOURCES RELEASE DATE

db:CNVDid:CNVD-2023-21678date:2023-03-29T00:00:00
db:JVNDBid:JVNDB-2023-004161date:2023-10-26T00:00:00
db:CNNVDid:CNNVD-202302-1274date:2023-02-15T00:00:00
db:NVDid:CVE-2023-22804date:2023-02-15T18:15:11.827