ID

VAR-202303-1316


CVE

CVE-2023-0598


TITLE

GE iFIX Code injection vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202303-1247

DESCRIPTION

GE Digital Proficy iFIX 2022, GE Digital Proficy iFIX v6.1, and GE Digital Proficy iFIX v6.5 are vulnerable to code injection, which may allow an attacker to insert malicious configuration files in the expected web server execution path and gain full control of the HMI software

Trust: 0.99

sources: NVD: CVE-2023-0598 // VULMON: CVE-2023-0598

AFFECTED PRODUCTS

vendor:gemodel:ifixscope:eqversion:6.5

Trust: 1.0

vendor:gemodel:ifixscope:eqversion:6.1

Trust: 1.0

vendor:gemodel:ifixscope:eqversion:2022

Trust: 1.0

sources: NVD: CVE-2023-0598

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2023-0598
value: CRITICAL

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2023-0598
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202303-1247
value: CRITICAL

Trust: 0.6

NVD:
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov:
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: NVD: CVE-2023-0598 // NVD: CVE-2023-0598 // CNNVD: CNNVD-202303-1247

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.0

sources: NVD: CVE-2023-0598

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202303-1247

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-202303-1247

CONFIGURATIONS

sources: NVD: CVE-2023-0598

EXTERNAL IDS

db:ICS CERTid:ICSA-23-073-03

Trust: 1.7

db:NVDid:CVE-2023-0598

Trust: 1.7

db:AUSCERTid:ESB-2023.1564

Trust: 0.6

db:CNNVDid:CNNVD-202303-1247

Trust: 0.6

db:VULMONid:CVE-2023-0598

Trust: 0.1

sources: VULMON: CVE-2023-0598 // NVD: CVE-2023-0598 // CNNVD: CNNVD-202303-1247

REFERENCES

url:https://digitalsupport.ge.com/s/article/ifix-secure-deployment-guide?language=en_us

Trust: 1.7

url:https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-03

Trust: 1.7

url:https://www.auscert.org.au/bulletins/esb-2023.1564

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2023-0598/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/94.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2023-0598 // NVD: CVE-2023-0598 // CNNVD: CNNVD-202303-1247

SOURCES

db:VULMONid:CVE-2023-0598
db:NVDid:CVE-2023-0598
db:CNNVDid:CNNVD-202303-1247

LAST UPDATE DATE

2023-12-18T13:59:12.877000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2023-0598date:2023-03-17T00:00:00
db:NVDid:CVE-2023-0598date:2023-11-07T04:00:56.850
db:CNNVDid:CNNVD-202303-1247date:2023-03-24T00:00:00

SOURCES RELEASE DATE

db:VULMONid:CVE-2023-0598date:2023-03-16T00:00:00
db:NVDid:CVE-2023-0598date:2023-03-16T20:15:11.327
db:CNNVDid:CNNVD-202303-1247date:2023-03-15T00:00:00