CVE-2021-22278 - OpenCVE

A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed.

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Abb	Update Manager
Hitachienergy	Pcm600

Configuration 1 [-]

OR	cpe:2.3:a:abb:update_manager:2.1:::::::*
	cpe:2.3:a:abb:update_manager:2.1.0.4:::::::*
	cpe:2.3:a:abb:update_manager:2.2:::::::*
	cpe:2.3:a:abb:update_manager:2.2.0.1:::::::*
	cpe:2.3:a:abb:update_manager:2.2.0.2:::::::*
	cpe:2.3:a:abb:update_manager:2.2.0.23:::::::*
	cpe:2.3:a:abb:update_manager:2.3.0.60:::::::*
	cpe:2.3:a:abb:update_manager:2.4.20041.1:::::::*
	cpe:2.3:a:abb:update_manager:2.4.20119.2:::::::*

Configuration 2 [-]

AND

cpe:2.3:a:abb:update_manager:*:*:*:*:*:*:*:*

cpe:2.3:h:hitachienergy:pcm600:-:*:*:*:*:*:*:*

References

Link	Resource
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ABB

Published: 2021-10-19T00:00:00

Updated: 2021-10-28T12:45:58

Reserved: 2021-01-05T00:00:00

Link: CVE-2021-22278

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-10-28T13:15:08.203

Modified: 2023-05-16T20:56:48.347

Link: CVE-2021-22278

JSON object: View

Redhat Information

No data.

CWE

CWE-295

{"containers": {"cna": {"affected": [{"product": "PCM600", "vendor": "ABB", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "2.7", "versionType": "custom"}, {"lessThanOrEqual": "2.10", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "PCM600 Update Manager", "vendor": "ABB", "versions": [{"status": "affected", "version": "2.1"}, {"status": "affected", "version": "2.1.0.4"}, {"status": "affected", "version": "2.2"}, {"status": "affected", "version": "2.2.0.1"}, {"status": "affected", "version": "2.2.0.2"}, {"status": "affected", "version": "2.2.0.23"}, {"status": "affected", "version": "2.3.0.60"}, {"status": "affected", "version": "2.4.20041.1"}, {"status": "affected", "version": "2.4.20119.2"}]}, {"product": "PCM600", "vendor": "Hitachi Energy", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "2.7", "versionType": "custom"}, {"lessThanOrEqual": "2.10", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "PCM600 Update Manager", "vendor": "Hitachi Energy", "versions": [{"status": "affected", "version": "2.1"}, {"status": "affected", "version": "2.1.0.4"}, {"status": "affected", "version": "2.2"}, {"status": "affected", "version": "2.2.0.1"}, {"status": "affected", "version": "2.2.0.2"}, {"status": "affected", "version": "2.2.0.23"}, {"status": "affected", "version": "2.3.0.60"}, {"status": "affected", "version": "2.4.20041.1"}, {"status": "affected", "version": "2.4.20119.2"}]}], "credits": [{"lang": "en", "value": "ABB and Hitachi Energy thank CyTRICS researcher May Chaffin for helping to identify the vulnerabilities and protecting our customers."}], "datePublic": "2021-10-19T00:00:00", "descriptions": [{"lang": "en", "value": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-28T12:45:58", "orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "shortName": "ABB"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142&LanguageCode=en&DocumentPartId=&Action=Launch"}, {"tags": ["x_refsource_MISC"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056&LanguageCode=en&DocumentPartId=&Action=Launch"}], "solutions": [{"lang": "en", "value": "Install latest PCM600 Update Manager version 2.4.21218.1 or newer."}], "source": {"discovery": "UNKNOWN"}, "title": "Certificate verification vulnerability in Update Manager of PCM600 Engineering Tool", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@ch.abb.com", "DATE_PUBLIC": "2021-10-19T10:02:00.000Z", "ID": "CVE-2021-22278", "STATE": "PUBLIC", "TITLE": "Certificate verification vulnerability in Update Manager of PCM600 Engineering Tool"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PCM600", "version": {"version_data": [{"version_affected": ">=", "version_value": "2.7"}, {"version_affected": "<=", "version_value": "2.10"}]}}, {"product_name": "PCM600 Update Manager", "version": {"version_data": [{"version_affected": "=", "version_value": "2.1"}, {"version_affected": "=", "version_value": "2.1.0.4"}, {"version_affected": "=", "version_value": "2.2"}, {"version_affected": "=", "version_value": "2.2.0.1"}, {"version_affected": "=", "version_value": "2.2.0.2"}, {"version_affected": "=", "version_value": "2.2.0.23"}, {"version_affected": "=", "version_value": "2.3.0.60"}, {"version_affected": "=", "version_value": "2.4.20041.1"}, {"version_affected": "=", "version_value": "2.4.20119.2"}]}}]}, "vendor_name": "ABB"}, {"product": {"product_data": [{"product_name": "PCM600", "version": {"version_data": [{"version_affected": ">=", "version_value": "2.7"}, {"version_affected": "<=", "version_value": "2.10"}]}}, {"product_name": "PCM600 Update Manager", "version": {"version_data": [{"version_affected": "=", "version_value": "2.1"}, {"version_affected": "=", "version_value": "2.1.0.4"}, {"version_affected": "=", "version_value": "2.2"}, {"version_affected": "=", "version_value": "2.2.0.1"}, {"version_affected": "=", "version_value": "2.2.0.2"}, {"version_affected": "=", "version_value": "2.2.0.23"}, {"version_affected": "=", "version_value": "2.3.0.60"}, {"version_affected": "=", "version_value": "2.4.20041.1"}, {"version_affected": "=", "version_value": "2.4.20119.2"}]}}]}, "vendor_name": "Hitachi Energy"}]}}, "credit": [{"lang": "eng", "value": "ABB and Hitachi Energy thank CyTRICS researcher May Chaffin for helping to identify the vulnerabilities and protecting our customers."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-295 Improper Certificate Validation"}]}]}, "references": {"reference_data": [{"name": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142&LanguageCode=en&DocumentPartId=&Action=Launch", "refsource": "MISC", "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142&LanguageCode=en&DocumentPartId=&Action=Launch"}, {"name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056&LanguageCode=en&DocumentPartId=&Action=Launch", "refsource": "MISC", "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056&LanguageCode=en&DocumentPartId=&Action=Launch"}]}, "solution": [{"lang": "en", "value": "Install latest PCM600 Update Manager version 2.4.21218.1 or newer."}], "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "assignerShortName": "ABB", "cveId": "CVE-2021-22278", "datePublished": "2021-10-19T00:00:00", "dateReserved": "2021-01-05T00:00:00", "dateUpdated": "2021-10-28T12:45:58", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:abb:update_manager:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "270D7F57-336B-4529-A80B-54E7285A748C", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.1.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "F3C761D5-31F0-4A1C-B25B-D6672E6CCFA4", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.2:*:*:*:*:*:*:*", "matchCriteriaId": "D90D0E2D-D673-42B1-BF93-6A46CCB4FC4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "E7566688-A986-454E-85E2-30C410F036F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "E54590EC-81E2-4EB7-B9FA-FBD8D3EF68F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.2.0.23:*:*:*:*:*:*:*", "matchCriteriaId": "950F2775-4C0E-4C89-B9A5-E57C8AB7E358", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.3.0.60:*:*:*:*:*:*:*", "matchCriteriaId": "B9641E06-083B-4D62-A589-CBD33842E4F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.4.20041.1:*:*:*:*:*:*:*", "matchCriteriaId": "013A5B85-B035-459F-8D7D-1CD6ABA0BA06", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.4.20119.2:*:*:*:*:*:*:*", "matchCriteriaId": "634F2294-B68D-4729-B794-DBCED5283F96", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:abb:update_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "35E421FD-7C58-42B8-9D32-82D68763D59B", "versionEndIncluding": "2.10", "versionStartIncluding": "2.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hitachienergy:pcm600:-:*:*:*:*:*:*:*", "matchCriteriaId": "A68C99C9-B2C1-4ADD-9B06-2BE60B583D30", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed."}, {"lang": "es", "value": "Una vulnerabilidad de comprobaci\u00f3n de certificados en PCM600 Update Manager permite a un atacante conseguir que se instalen paquetes de software no deseados en el ordenador que presenta instalado el PCM600"}], "id": "CVE-2021-22278", "lastModified": "2023-05-16T20:56:48.347", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}, "published": "2021-10-28T13:15:08.203", "references": [{"source": "cybersecurity@ch.abb.com", "tags": ["Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142&LanguageCode=en&DocumentPartId=&Action=Launch"}, {"source": "cybersecurity@ch.abb.com", "tags": ["Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056&LanguageCode=en&DocumentPartId=&Action=Launch"}], "sourceIdentifier": "cybersecurity@ch.abb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}