Lucene search

IcscertCVE-2022-2970

HistorySep 23, 2022 - 4:15 p.m.

CVE-2022-2970

2022-09-2316:15:10

CWE-787

CWE-121

icscert

web.nvd.nist.gov

cve-2022-2970

mz automation

libiec61850

remote code execution

security vulnerability

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

60.8%

JSON

MZ Automation’s libIEC61850 (versions 1.4 and prior; version 1.5 prior to commit a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10e) does not sanitize input before memcpy is used, which could allow an attacker to crash the device or remotely execute arbitrary code.

Affected configurations

Nvd

Node

mz-automationlibiec61850Range<1.5.0

VendorProductVersionCPE
mz-automationlibiec61850*cpe:2.3:a:mz-automation:libiec61850:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mz-automation	libiec61850	*	cpe:2.3:a:mz-automation:libiec61850::::::::

CNA Affected

[
  {
    "product": "libIEC61850",
    "vendor": "MZ Automation",
    "versions": [
      {
        "lessThanOrEqual": "1.4",
        "status": "affected",
        "version": "All",
        "versionType": "custom"
      },
      {
        "lessThan": "Commit: a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10e",
        "status": "affected",
        "version": "Version 1.5",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/uscert/ics/advisories/icsa-22-251-01

Social References

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

60.8%

JSON

Related for CVE-2022-2970