9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
65.3%
Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition.
Softing reports these vulnerabilities affect the following products:
A crafted HTTP packet with a large content-length header can create a denial-of-service condition in Softing Secure Integration Server.
CVE-2022-1069 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The application searches for a library dll that is not found. If an attacker can place a dll with this name, then the attacker can leverage it to execute arbitrary code on the targeted Softing Secure Integration Server.
CVE-2022-2334 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Softing Secure Integration Server, edgeConnector, and edgeAggregator software ships with the default administrator credentials as admin
and password as admin
. This allows Softing to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the admin
password. There is no warning or prompt to ask the user to change the default password, and to change the password, many steps are required.
CVE-2022-2336 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The βrestore configurationβ feature of Softing Secure Integration Server is vulnerable to a directory traversal vulnerability when processing zip files. An attacker can craft a zip file to load an arbitrary dll and execute code. Using the βrestore configurationβ feature to upload a zip file containing a path traversal file may cause a file to be created and executed upon touching the disk.
CVE-2022-1373 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Softing Secure Integration Server is vulnerable to authentication bypass via a machine-in-the-middle attack. The default the administration interface is accessible via plaintext HTTP protocol, facilitating the attack. The HTTP request may contain the session cookie in the request, which may be captured for use in authenticating to the server.
CVE-2022-2338 has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).
Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability.
CVE-2022-1748 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A crafted HTTP packet with a missing HTTP URI can create a denial-of-service condition in Softing Secure Integration Server.
CVE-2022-2337 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A crafted HTTP packet without a content-type header can create a denial-of-service condition in Softing Secure Integration Server.
CVE-2022-2547 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A crafted HTTP packet with a -1 content-length header can create a denial-of-service condition in Softing Secure Integration Server.
CVE-2022-2335 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Pedro Ribeiro and Radek Domanski, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to Softing and CISA.
Softing released new versions to address these vulnerabilities and notified known users of the releases. Users are advised to update to the new versions:
The latest software packages can be downloaded from the Softing website.
Softing recommends the following mitigations and workarounds:
For more details on these vulnerabilities and mitigations, users should see SYT-2022-7, SYT-2022-6, SYT-2022-5, and SYT-2022-4 on the Softing security website.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have a low attack complexity.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1069
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1373
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1748
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2334
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2335
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2336
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2337
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2338
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2547
cwe.mitre.org/data/definitions/125.html
cwe.mitre.org/data/definitions/191.html
cwe.mitre.org/data/definitions/23.html
cwe.mitre.org/data/definitions/287.html
cwe.mitre.org/data/definitions/319.html
cwe.mitre.org/data/definitions/427.html
cwe.mitre.org/data/definitions/476.html
cwe.mitre.org/data/definitions/476.html
cwe.mitre.org/data/definitions/476.html
industrial.softing.com/fileadmin/psirt/downloads/syt-2022-4.html
industrial.softing.com/fileadmin/psirt/downloads/syt-2022-5.html
industrial.softing.com/fileadmin/psirt/downloads/syt-2022-6.html
industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html
industrial.softing.com/products/opc-ua-sdks.html
industrial.softing.com/support/security-information.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Softing%20Secure%20Integration%20Server+https://www.cisa.gov/news-events/ics-advisories/icsa-22-228-04
www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-22-228-04&title=Softing%20Secure%20Integration%20Server
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-22-228-04
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-22-228-04
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Softing%20Secure%20Integration%20Server&body=www.cisa.gov/news-events/ics-advisories/icsa-22-228-04