CVE-2023-2003 - OpenCVE

Embedded malicious code vulnerability in Vision1210, in the build 5 of operating system version 4.3, which could allow a remote attacker to store base64-encoded malicious code in the device's data tables via the PCOM protocol, which can then be retrieved by a client and executed on the device.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Unitronicsplc	Vision1210 Vision1210 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:unitronicsplc:vision1210_firmware:4.3:build_5:*:*:*:*:*:*

cpe:2.3:h:unitronicsplc:vision1210:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.hackplayers.com/2023/07/vulnerabilidad-vision1210-unitronics.html	Third Party Advisory
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/embedded-malicious-code-vulnerability-unitronics-vision1210	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-07-13T11:25:03.096Z

Updated: 2023-07-17T10:11:18.273Z

Reserved: 2023-04-12T14:08:51.192Z

Link: CVE-2023-2003

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-07-13T12:15:09.317

Modified: 2023-07-25T19:01:17.603

Link: CVE-2023-2003

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-2003", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-04-12T14:08:51.192Z", "datePublished": "2023-07-13T11:25:03.096Z", "dateUpdated": "2023-07-17T10:11:18.273Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Vision1210", "vendor": "Unitronics", "versions": [{"status": "affected", "version": "4.3, build 5"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Carlos Antonini Cepeda"}], "datePublic": "2023-07-06T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Embedded malicious code vulnerability in Vision1210, in the build 5 of operating system version 4.3, which could allow a remote attacker to store base64-encoded malicious code in the device's data tables via the PCOM protocol, which can then be retrieved by a client and executed on the device.</span>\n\n"}], "value": "Embedded malicious code vulnerability in Vision1210, in the build 5 of operating system version 4.3, which could allow a remote attacker to store base64-encoded malicious code in the device's data tables via the PCOM protocol, which can then be retrieved by a client and executed on the device.\n\n"}], "impacts": [{"capecId": "CAPEC-636", "descriptions": [{"lang": "en", "value": "CAPEC-636: Hiding Malicious Data or Code within Files"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-506", "description": "CWE-506: Embedded Malicious Code", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-07-17T10:11:18.273Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/embedded-malicious-code-vulnerability-unitronics-vision1210"}, {"tags": ["related", "technical-description"], "url": "https://www.hackplayers.com/2023/07/vulnerabilidad-vision1210-unitronics.html"}], "source": {"advisory": "INCIBE-2023-0253", "discovery": "EXTERNAL"}, "title": "Embedded malicious code vulnerability in Unitronics Vision1210", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:unitronicsplc:vision1210_firmware:4.3:build_5:*:*:*:*:*:*", "matchCriteriaId": "DC8B7EE5-B15D-45DE-BCF6-73D2D207029B", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:unitronicsplc:vision1210:-:*:*:*:*:*:*:*", "matchCriteriaId": "0FE3119A-2567-4524-9083-82F49216700D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Embedded malicious code vulnerability in Vision1210, in the build 5 of operating system version 4.3, which could allow a remote attacker to store base64-encoded malicious code in the device's data tables via the PCOM protocol, which can then be retrieved by a client and executed on the device.\n\n"}], "id": "CVE-2023-2003", "lastModified": "2023-07-25T19:01:17.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2023-07-13T12:15:09.317", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.hackplayers.com/2023/07/vulnerabilidad-vision1210-unitronics.html"}, {"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/embedded-malicious-code-vulnerability-unitronics-vision1210"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-506"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}