CVE-2022-2277 - OpenCVE

Improper Input Validation vulnerability exists in the Hitachi Energy MicroSCADA X SYS600's ICCP stack during the ICCP communication establishment causes a denial-of-service when ICCP of SYS600 is request to forward any data item updates with timestamps too distant in the future to any remote ICCP system. By default, ICCP is not configured and not enabled. This issue affects: Hitachi Energy MicroSCADA X SYS600 version 10.2 to version 10.3.1. cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2.1:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3.1:*:*:*:*:*:*:*

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Hitachienergy	Microscada X Sys600 Sys600

Configuration 1 [-]

AND

cpe:2.3:a:hitachienergy:microscada_x_sys600:*:*:*:*:*:*:*:*

cpe:2.3:h:hitachienergy:sys600:-:*:*:*:*:*:*:*

References

Link	Resource
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000106&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Hitachi Energy

Published: 2022-09-06T00:00:00

Updated: 2022-09-14T17:02:01

Reserved: 2022-07-01T00:00:00

Link: CVE-2022-2277

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-14T18:15:10.230

Modified: 2023-07-21T19:26:59.967

Link: CVE-2022-2277

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "MicroSCADA X SYS600", "vendor": "Hitachi Energy", "versions": [{"status": "affected", "version": "10.2"}, {"status": "affected", "version": "10.2.1"}, {"status": "affected", "version": "10.3"}, {"status": "affected", "version": "10.3.1"}]}], "datePublic": "2022-09-06T00:00:00", "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability exists in the Hitachi Energy MicroSCADA X SYS600's ICCP stack during the ICCP communication establishment causes a denial-of-service when ICCP of SYS600 is request to forward any data item updates with timestamps too distant in the future to any remote ICCP system. By default, ICCP is not configured and not enabled. This issue affects: Hitachi Energy MicroSCADA X SYS600 version 10.2 to version 10.3.1. cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2.1:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3.1:*:*:*:*:*:*:*"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-14T17:02:01", "orgId": "e383dce4-0c27-4495-91c4-0db157728d17", "shortName": "Hitachi Energy"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000106&LanguageCode=en&DocumentPartId=&Action=Launch"}], "solutions": [{"lang": "en", "value": "Remediated in SYS600 10.4 \nUpdate to at least SYS600 version 10.4."}], "source": {"discovery": "INTERNAL"}, "title": "A vulnerability exists in the ICCP stack of the affected SYS600 versions due to validation flaw in the process that establishes the ICCP communication. The validation flaw will cause a denial-of-service when ICCP of SYS600 is request to forward any da ...", "workarounds": [{"lang": "en", "value": "Do not enable ICCP if it is not used. \nApply general mitigation factors as specify in the advisory."}], "x_ConverterErrors": {"TITLE": {"error": "TITLE too long. Truncating in v5 record.", "message": "Truncated!"}}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@hitachienergy.com", "DATE_PUBLIC": "2022-09-06T14:30:00.000Z", "ID": "CVE-2022-2277", "STATE": "PUBLIC", "TITLE": "A vulnerability exists in the ICCP stack of the affected SYS600 versions due to validation flaw in the process that establishes the ICCP communication. The validation flaw will cause a denial-of-service when ICCP of SYS600 is request to forward any data item updates with timestamps too distant in the future to any remote ICCP system. By default, ICCP is not configured and not enabled."}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MicroSCADA X SYS600", "version": {"version_data": [{"version_affected": "=", "version_value": "10.2"}, {"version_affected": "=", "version_value": "10.2.1"}, {"version_affected": "=", "version_value": "10.3"}, {"version_affected": "=", "version_value": "10.3.1"}]}}]}, "vendor_name": "Hitachi Energy"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper Input Validation vulnerability exists in the Hitachi Energy MicroSCADA X SYS600's ICCP stack during the ICCP communication establishment causes a denial-of-service when ICCP of SYS600 is request to forward any data item updates with timestamps too distant in the future to any remote ICCP system. By default, ICCP is not configured and not enabled. This issue affects: Hitachi Energy MicroSCADA X SYS600 version 10.2 to version 10.3.1. cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2.1:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3.1:*:*:*:*:*:*:*"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000106&LanguageCode=en&DocumentPartId=&Action=Launch", "refsource": "CONFIRM", "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000106&LanguageCode=en&DocumentPartId=&Action=Launch"}]}, "solution": [{"lang": "en", "value": "Remediated in SYS600 10.4 \nUpdate to at least SYS600 version 10.4."}], "source": {"discovery": "INTERNAL"}, "work_around": [{"lang": "en", "value": "Do not enable ICCP if it is not used. \nApply general mitigation factors as specify in the advisory."}]}}}, "cveMetadata": {"assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17", "assignerShortName": "Hitachi Energy", "cveId": "CVE-2022-2277", "datePublished": "2022-09-06T00:00:00", "dateReserved": "2022-07-01T00:00:00", "dateUpdated": "2022-09-14T17:02:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hitachienergy:microscada_x_sys600:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D017E2F-F8D8-4755-881A-53415CBC27EE", "versionEndIncluding": "10.3.1", "versionStartIncluding": "10.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hitachienergy:sys600:-:*:*:*:*:*:*:*", "matchCriteriaId": "42B6499F-D82D-4B02-BBEC-60B36FB0C678", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability exists in the Hitachi Energy MicroSCADA X SYS600's ICCP stack during the ICCP communication establishment causes a denial-of-service when ICCP of SYS600 is request to forward any data item updates with timestamps too distant in the future to any remote ICCP system. By default, ICCP is not configured and not enabled. This issue affects: Hitachi Energy MicroSCADA X SYS600 version 10.2 to version 10.3.1. cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2.1:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3.1:*:*:*:*:*:*:*"}, {"lang": "es", "value": "Se presenta una vulnerabilidad de comprobaci\u00f3n de entrada inapropiada en la pila ICCP de Hitachi Energy MicroSCADA X SYS600 durante el establecimiento de la comunicaci\u00f3n ICCP que causa una denegaci\u00f3n de servicio cuando es solicitado a ICCP de SYS600 que reenv\u00ede cualquier actualizaci\u00f3n de elementos de datos con marcas de tiempo demasiado distantes en el futuro a cualquier sistema ICCP remoto. Por defecto, ICCP no est\u00e1 configurado ni habilitado. Este problema afecta: Hitachi Energy MicroSCADA X SYS600 versi\u00f3n 10.2 a versi\u00f3n 10.3.1. cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2:*:*:*:*:*:cpe:2.3:a:hitachienergy:microscada_x_sys600:10. 2.1:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3.1:*:*:*:*:*:*:*"}], "id": "CVE-2022-2277", "lastModified": "2023-07-21T19:26:59.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cybersecurity@hitachienergy.com", "type": "Secondary"}]}, "published": "2022-09-14T18:15:10.230", "references": [{"source": "cybersecurity@hitachienergy.com", "tags": ["Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000106&LanguageCode=en&DocumentPartId=&Action=Launch"}], "sourceIdentifier": "cybersecurity@hitachienergy.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1284"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "cybersecurity@hitachienergy.com", "type": "Secondary"}]}