Vulnerabilites related to Secheron - SEPCOS Control and Protection Relay firmware package
CVE-2022-1667 (GCVE-0-2022-1667)
Vulnerability from cvelistv5
Published
2022-06-24 15:00
Modified
2025-04-16 16:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-841 - IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW
Summary
Client-side JavaScript controls may be bypassed by directly running a JS function to reboot the PLC (e.g., from the browser console) or by loading the corresponding, browser accessible PHP script
References
► | URL | Tags | |||
---|---|---|---|---|---|
|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Secheron | SEPCOS Control and Protection Relay firmware package |
Version: All versions < 1.23.21 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:10:03.859Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2022-1667", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-04-16T15:55:24.323966Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-04-16T16:16:23.607Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "SEPCOS Control and Protection Relay firmware package", "vendor": "Secheron", "versions": [ { "changes": [ { "at": "1.24.8", "status": "unaffected" }, { "at": "1.25.3", "status": "unaffected" } ], "lessThan": "1.23.21", "status": "affected", "version": "All versions", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA." } ], "datePublic": "2022-06-23T00:00:00.000Z", "descriptions": [ { "lang": "en", "value": "Client-side JavaScript controls may be bypassed by directly running a JS function to reboot the PLC (e.g., from the browser console) or by loading the corresponding, browser accessible PHP script" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-841", "description": "CWE-841 IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-24T15:00:30.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ], "solutions": [ { "lang": "en", "value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version" } ], "source": { "advisory": "ICSA-22-174-03", "discovery": "EXTERNAL" }, "title": "Secheron SEPCOS Control and Protection Relay", "workarounds": [ { "lang": "en", "value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access." } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-06-23T17:01:00.000Z", "ID": "CVE-2022-1667", "STATE": "PUBLIC", "TITLE": "Secheron SEPCOS Control and Protection Relay" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "SEPCOS Control and Protection Relay firmware package", "version": { "version_data": [ { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.23.21" }, { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.24.8" }, { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.25.3" } ] } } ] }, "vendor_name": "Secheron" } ] } }, "credit": [ { "lang": "eng", "value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Client-side JavaScript controls may be bypassed by directly running a JS function to reboot the PLC (e.g., from the browser console) or by loading the corresponding, browser accessible PHP script" } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-841 IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ] }, "solution": [ { "lang": "en", "value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version" } ], "source": { "advisory": "ICSA-22-174-03", "discovery": "EXTERNAL" }, "work_around": [ { "lang": "en", "value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access." } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1667", "datePublished": "2022-06-24T15:00:30.365Z", "dateReserved": "2022-05-10T00:00:00.000Z", "dateUpdated": "2025-04-16T16:16:23.607Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-2105 (GCVE-0-2022-2105)
Vulnerability from cvelistv5
Published
2022-06-24 15:00
Modified
2025-04-16 16:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-841 - IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW
Summary
Client-side JavaScript controls may be bypassed to change user credentials and permissions without authentication, including a “root” user level meant only for the vendor. Web server root level access allows for changing of safety critical parameters.
References
► | URL | Tags | |||
---|---|---|---|---|---|
|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Secheron | SEPCOS Control and Protection Relay firmware package |
Version: All versions < 1.23.21 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:24:44.189Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2022-2105", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-04-16T15:55:19.184560Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-04-16T16:16:16.151Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "SEPCOS Control and Protection Relay firmware package", "vendor": "Secheron", "versions": [ { "changes": [ { "at": "1.24.8", "status": "unaffected" }, { "at": "1.25.3", "status": "unaffected" } ], "lessThan": "1.23.21", "status": "affected", "version": "All versions", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA." } ], "datePublic": "2022-06-23T00:00:00.000Z", "descriptions": [ { "lang": "en", "value": "Client-side JavaScript controls may be bypassed to change user credentials and permissions without authentication, including a \u201croot\u201d user level meant only for the vendor. Web server root level access allows for changing of safety critical parameters." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-841", "description": "CWE-841 IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-24T15:00:31.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ], "solutions": [ { "lang": "en", "value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version" } ], "source": { "advisory": "ICSA-22-174-03", "discovery": "EXTERNAL" }, "title": "Secheron SEPCOS Control and Protection Relay", "workarounds": [ { "lang": "en", "value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access." } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-06-23T17:01:00.000Z", "ID": "CVE-2022-2105", "STATE": "PUBLIC", "TITLE": "Secheron SEPCOS Control and Protection Relay" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "SEPCOS Control and Protection Relay firmware package", "version": { "version_data": [ { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.23.21" }, { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.24.8" }, { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.25.3" } ] } } ] }, "vendor_name": "Secheron" } ] } }, "credit": [ { "lang": "eng", "value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Client-side JavaScript controls may be bypassed to change user credentials and permissions without authentication, including a \u201croot\u201d user level meant only for the vendor. Web server root level access allows for changing of safety critical parameters." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-841 IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ] }, "solution": [ { "lang": "en", "value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version" } ], "source": { "advisory": "ICSA-22-174-03", "discovery": "EXTERNAL" }, "work_around": [ { "lang": "en", "value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access." } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-2105", "datePublished": "2022-06-24T15:00:31.926Z", "dateReserved": "2022-06-16T00:00:00.000Z", "dateUpdated": "2025-04-16T16:16:16.151Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-2103 (GCVE-0-2022-2103)
Vulnerability from cvelistv5
Published
2022-06-24 15:00
Modified
2025-04-16 16:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
An attacker with weak credentials could access the TCP port via an open FTP port, allowing an attacker to read sensitive files and write to remotely executable directories.
References
► | URL | Tags | |||
---|---|---|---|---|---|
|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Secheron | SEPCOS Control and Protection Relay firmware package |
Version: All versions < 1.23.21 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:24:44.356Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2022-2103", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-04-16T15:54:17.979733Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-04-16T16:16:38.589Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "SEPCOS Control and Protection Relay firmware package", "vendor": "Secheron", "versions": [ { "changes": [ { "at": "1.24.8", "status": "unaffected" }, { "at": "1.25.3", "status": "unaffected" } ], "lessThan": "1.23.21", "status": "affected", "version": "All versions", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA." } ], "datePublic": "2022-06-23T00:00:00.000Z", "descriptions": [ { "lang": "en", "value": "An attacker with weak credentials could access the TCP port via an open FTP port, allowing an attacker to read sensitive files and write to remotely executable directories." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-24T15:00:28.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ], "solutions": [ { "lang": "en", "value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version" } ], "source": { "advisory": "ICSA-22-174-03", "discovery": "EXTERNAL" }, "title": "Secheron SEPCOS Control and Protection Relay", "workarounds": [ { "lang": "en", "value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access." } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-06-23T17:01:00.000Z", "ID": "CVE-2022-2103", "STATE": "PUBLIC", "TITLE": "Secheron SEPCOS Control and Protection Relay" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "SEPCOS Control and Protection Relay firmware package", "version": { "version_data": [ { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.23.21" }, { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.24.8" }, { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.25.3" } ] } } ] }, "vendor_name": "Secheron" } ] } }, "credit": [ { "lang": "eng", "value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An attacker with weak credentials could access the TCP port via an open FTP port, allowing an attacker to read sensitive files and write to remotely executable directories." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-284 Improper Access Control" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ] }, "solution": [ { "lang": "en", "value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version" } ], "source": { "advisory": "ICSA-22-174-03", "discovery": "EXTERNAL" }, "work_around": [ { "lang": "en", "value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access." } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-2103", "datePublished": "2022-06-24T15:00:28.743Z", "dateReserved": "2022-06-16T00:00:00.000Z", "dateUpdated": "2025-04-16T16:16:38.589Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-1668 (GCVE-0-2022-1668)
Vulnerability from cvelistv5
Published
2022-06-24 15:00
Modified
2025-04-16 16:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-521 - Weak Password Requirements
Summary
Weak default root user credentials allow remote attackers to easily obtain OS superuser privileges over the open TCP port for SSH.
References
► | URL | Tags | |||
---|---|---|---|---|---|
|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Secheron | SEPCOS Control and Protection Relay firmware package |
Version: All versions < 1.23.21 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:10:03.818Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2022-1668", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-04-16T15:54:13.554030Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-04-16T16:16:08.809Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "SEPCOS Control and Protection Relay firmware package", "vendor": "Secheron", "versions": [ { "changes": [ { "at": "1.24.8", "status": "unaffected" }, { "at": "1.25.3", "status": "unaffected" } ], "lessThan": "1.23.21", "status": "affected", "version": "All versions", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA." } ], "datePublic": "2022-06-23T00:00:00.000Z", "descriptions": [ { "lang": "en", "value": "Weak default root user credentials allow remote attackers to easily obtain OS superuser privileges over the open TCP port for SSH." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-521", "description": "CWE-521 Weak Password Requirements", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-24T15:00:32.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ], "solutions": [ { "lang": "en", "value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version" } ], "source": { "advisory": "ICSA-22-174-03", "discovery": "EXTERNAL" }, "title": "Secheron SEPCOS Control and Protection Relay", "workarounds": [ { "lang": "en", "value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access." } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-06-23T17:01:00.000Z", "ID": "CVE-2022-1668", "STATE": "PUBLIC", "TITLE": "Secheron SEPCOS Control and Protection Relay" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "SEPCOS Control and Protection Relay firmware package", "version": { "version_data": [ { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.23.21" }, { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.24.8" }, { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.25.3" } ] } } ] }, "vendor_name": "Secheron" } ] } }, "credit": [ { "lang": "eng", "value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Weak default root user credentials allow remote attackers to easily obtain OS superuser privileges over the open TCP port for SSH." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-521 Weak Password Requirements" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ] }, "solution": [ { "lang": "en", "value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version" } ], "source": { "advisory": "ICSA-22-174-03", "discovery": "EXTERNAL" }, "work_around": [ { "lang": "en", "value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access." } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1668", "datePublished": "2022-06-24T15:00:32.930Z", "dateReserved": "2022-05-10T00:00:00.000Z", "dateUpdated": "2025-04-16T16:16:08.809Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-2102 (GCVE-0-2022-2102)
Vulnerability from cvelistv5
Published
2022-06-24 15:00
Modified
2025-04-16 16:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-841 - IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW
Summary
Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker to intercept the initial file upload page response and modify the associated code. This modified code can be forwarded and used by a script loaded later in the sequence, allowing for arbitrary file upload into a location where PHP scripts may be executed.
References
► | URL | Tags | |||
---|---|---|---|---|---|
|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Secheron | SEPCOS Control and Protection Relay firmware package |
Version: All versions < 1.23.21 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:24:44.203Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2022-2102", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-04-16T15:55:13.164067Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-04-16T16:16:00.619Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "SEPCOS Control and Protection Relay firmware package", "vendor": "Secheron", "versions": [ { "changes": [ { "at": "1.24.8", "status": "unaffected" }, { "at": "1.25.3", "status": "unaffected" } ], "lessThan": "1.23.21", "status": "affected", "version": "All versions", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA." } ], "datePublic": "2022-06-23T00:00:00.000Z", "descriptions": [ { "lang": "en", "value": "Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker to intercept the initial file upload page response and modify the associated code. This modified code can be forwarded and used by a script loaded later in the sequence, allowing for arbitrary file upload into a location where PHP scripts may be executed." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-841", "description": "CWE-841 IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-24T15:00:33.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ], "solutions": [ { "lang": "en", "value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version" } ], "source": { "advisory": "ICSA-22-174-03", "discovery": "EXTERNAL" }, "title": "Secheron SEPCOS Control and Protection Relay", "workarounds": [ { "lang": "en", "value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access." } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-06-23T17:01:00.000Z", "ID": "CVE-2022-2102", "STATE": "PUBLIC", "TITLE": "Secheron SEPCOS Control and Protection Relay" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "SEPCOS Control and Protection Relay firmware package", "version": { "version_data": [ { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.23.21" }, { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.24.8" }, { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.25.3" } ] } } ] }, "vendor_name": "Secheron" } ] } }, "credit": [ { "lang": "eng", "value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker to intercept the initial file upload page response and modify the associated code. This modified code can be forwarded and used by a script loaded later in the sequence, allowing for arbitrary file upload into a location where PHP scripts may be executed." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-841 IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ] }, "solution": [ { "lang": "en", "value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version" } ], "source": { "advisory": "ICSA-22-174-03", "discovery": "EXTERNAL" }, "work_around": [ { "lang": "en", "value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access." } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-2102", "datePublished": "2022-06-24T15:00:33.724Z", "dateReserved": "2022-06-16T00:00:00.000Z", "dateUpdated": "2025-04-16T16:16:00.619Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-1666 (GCVE-0-2022-1666)
Vulnerability from cvelistv5
Published
2022-06-24 15:00
Modified
2025-04-16 16:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-522 - Insufficiently Protected Credentials
Summary
The default password for the web application’s root user (the vendor’s private account) was weak and the MD5 hash was used to crack the password using a widely available open-source tool.
References
► | URL | Tags | |||
---|---|---|---|---|---|
|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Secheron | SEPCOS Control and Protection Relay firmware package |
Version: All versions < 1.23.21 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:10:03.910Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2022-1666", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-04-16T15:51:27.604177Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-04-16T16:16:30.731Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "SEPCOS Control and Protection Relay firmware package", "vendor": "Secheron", "versions": [ { "changes": [ { "at": "1.24.8", "status": "unaffected" }, { "at": "1.25.3", "status": "unaffected" } ], "lessThan": "1.23.21", "status": "affected", "version": "All versions", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA." } ], "datePublic": "2022-06-23T00:00:00.000Z", "descriptions": [ { "lang": "en", "value": "The default password for the web application\u2019s root user (the vendor\u2019s private account) was weak and the MD5 hash was used to crack the password using a widely available open-source tool." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-24T15:00:29.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ], "solutions": [ { "lang": "en", "value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version" } ], "source": { "advisory": "ICSA-22-174-03", "discovery": "EXTERNAL" }, "title": "Secheron SEPCOS Control and Protection Relay", "workarounds": [ { "lang": "en", "value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access." } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-06-23T17:01:00.000Z", "ID": "CVE-2022-1666", "STATE": "PUBLIC", "TITLE": "Secheron SEPCOS Control and Protection Relay" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "SEPCOS Control and Protection Relay firmware package", "version": { "version_data": [ { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.23.21" }, { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.24.8" }, { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.25.3" } ] } } ] }, "vendor_name": "Secheron" } ] } }, "credit": [ { "lang": "eng", "value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The default password for the web application\u2019s root user (the vendor\u2019s private account) was weak and the MD5 hash was used to crack the password using a widely available open-source tool." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-522 Insufficiently Protected Credentials" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ] }, "solution": [ { "lang": "en", "value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version" } ], "source": { "advisory": "ICSA-22-174-03", "discovery": "EXTERNAL" }, "work_around": [ { "lang": "en", "value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access." } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1666", "datePublished": "2022-06-24T15:00:29.585Z", "dateReserved": "2022-05-10T00:00:00.000Z", "dateUpdated": "2025-04-16T16:16:30.731Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-2104 (GCVE-0-2022-2104)
Vulnerability from cvelistv5
Published
2022-06-24 15:00
Modified
2025-04-16 17:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
The www-data (Apache web server) account is configured to run sudo with no password for many commands (including /bin/sh and /bin/bash).
References
► | URL | Tags | |||
---|---|---|---|---|---|
|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Secheron | SEPCOS Control and Protection Relay firmware package |
Version: All versions < 1.23.21 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:24:44.252Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2022-2104", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-04-16T17:28:26.327468Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-04-16T17:51:54.147Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "SEPCOS Control and Protection Relay firmware package", "vendor": "Secheron", "versions": [ { "changes": [ { "at": "1.24.8", "status": "unaffected" }, { "at": "1.25.3", "status": "unaffected" } ], "lessThan": "1.23.21", "status": "affected", "version": "All versions", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA." } ], "datePublic": "2022-06-23T00:00:00.000Z", "descriptions": [ { "lang": "en", "value": "The www-data (Apache web server) account is configured to run sudo with no password for many commands (including /bin/sh and /bin/bash)." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-24T15:00:31.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ], "solutions": [ { "lang": "en", "value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version" } ], "source": { "advisory": "ICSA-22-174-03", "discovery": "EXTERNAL" }, "title": "Secheron SEPCOS Control and Protection Relay", "workarounds": [ { "lang": "en", "value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access." } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-06-23T17:01:00.000Z", "ID": "CVE-2022-2104", "STATE": "PUBLIC", "TITLE": "Secheron SEPCOS Control and Protection Relay" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "SEPCOS Control and Protection Relay firmware package", "version": { "version_data": [ { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.23.21" }, { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.24.8" }, { "version_affected": "\u003c", "version_name": "All versions", "version_value": "1.25.3" } ] } } ] }, "vendor_name": "Secheron" } ] } }, "credit": [ { "lang": "eng", "value": "Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The www-data (Apache web server) account is configured to run sudo with no password for many commands (including /bin/sh and /bin/bash)." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-269 Improper Privilege Management" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03" } ] }, "solution": [ { "lang": "en", "value": "Secheron recommends updating its software to the latest version:\n\nSEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version\nSEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version\nSEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version" } ], "source": { "advisory": "ICSA-22-174-03", "discovery": "EXTERNAL" }, "work_around": [ { "lang": "en", "value": "Additional workarounds are suggested to help reduce the risk:\n\nConfigure the network such that PLC communications are strictly limited to only the devices required to perform its functions.\nLimit remote access and close Ports 80 and 443 at the switch level.\nOnly use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices.\nCheck device logs during periodic maintenance for unauthorized changes or access." } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-2104", "datePublished": "2022-06-24T15:00:31.124Z", "dateReserved": "2022-06-16T00:00:00.000Z", "dateUpdated": "2025-04-16T17:51:54.147Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }