CVE-2022-2547 - OpenCVE

A crafted HTTP packet without a content-type header can create a denial-of-service condition in Softing Secure Integration Server V1.22.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Softing	Edgeaggregator Edgeconnector Opc Opc Ua C\+\+ Software Development Kit Secure Integration Server Uagates

Configuration 1 [-]

OR	cpe:2.3:a:softing:edgeaggregator:3.1:::::::*
	cpe:2.3:a:softing:edgeconnector:3.1:::::::*
	cpe:2.3:a:softing:opc:5.2:::::::*
	cpe:2.3:a:softing:opc_ua_c\+\+_software_development_kit:6:::::::*
	cpe:2.3:a:softing:secure_integration_server:1.22:::::::*
	cpe:2.3:a:softing:uagates:1.74:::::::*

No data.

References

Link	Providers
https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-4.html
https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-08-17T20:06:38

Updated: 2024-08-03T00:39:08.031Z

Reserved: 2022-07-26T00:00:00

Link: CVE-2022-2547

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-17T21:15:09.337

Modified: 2022-08-19T01:43:28.157

Link: CVE-2022-2547

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Secure Integration Server", "vendor": "Softing", "versions": [{"status": "affected", "version": "V1.22"}]}], "credits": [{"lang": "en", "value": "Pedro Ribeiro and Radek Domanski, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to Softing and CISA."}], "descriptions": [{"lang": "en", "value": "A crafted HTTP packet without a content-type header can create a denial-of-service condition in Softing Secure Integration Server V1.22."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-17T20:06:38", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-4.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04"}], "solutions": [{"lang": "en", "value": "Softing released new versions to address these vulnerabilities and notified known users of the releases. Users are advised to update to the new versions:\nSofting Secure Integration Server V1.30 \n\nThe latest software packages can be downloaded from the Softing website. \n\nSofting recommends the following mitigations and workarounds: \nChange the admin password or create a new user with administrative rights and delete the default admin user. \nConfigure the Windows firewall to block network requests to IP port 9000. \nDisable the HTTP Server in NGINX configuration of the Softing Secure Integration Server, only using the HTTPS server. \nFor more details on these vulnerabilities and mitigations, users should see SYT-2022-4 on the Softing security website."}], "source": {"discovery": "EXTERNAL"}, "title": "Softing Secure Integration Server NULL Pointer Dereference", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-2547", "STATE": "PUBLIC", "TITLE": "Softing Secure Integration Server NULL Pointer Dereference"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Secure Integration Server", "version": {"version_data": [{"version_affected": "=", "version_value": "V1.22"}]}}]}, "vendor_name": "Softing"}]}}, "credit": [{"lang": "eng", "value": "Pedro Ribeiro and Radek Domanski, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to Softing and CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A crafted HTTP packet without a content-type header can create a denial-of-service condition in Softing Secure Integration Server V1.22."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-476: NULL Pointer Dereference"}]}]}, "references": {"reference_data": [{"name": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-4.html", "refsource": "CONFIRM", "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-4.html"}, {"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04"}]}, "solution": [{"lang": "en", "value": "Softing released new versions to address these vulnerabilities and notified known users of the releases. Users are advised to update to the new versions:\nSofting Secure Integration Server V1.30 \n\nThe latest software packages can be downloaded from the Softing website. \n\nSofting recommends the following mitigations and workarounds: \nChange the admin password or create a new user with administrative rights and delete the default admin user. \nConfigure the Windows firewall to block network requests to IP port 9000. \nDisable the HTTP Server in NGINX configuration of the Softing Secure Integration Server, only using the HTTPS server. \nFor more details on these vulnerabilities and mitigations, users should see SYT-2022-4 on the Softing security website."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:39:08.031Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-4.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-2547", "datePublished": "2022-08-17T20:06:38", "dateReserved": "2022-07-26T00:00:00", "dateUpdated": "2024-08-03T00:39:08.031Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:softing:edgeaggregator:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "C0E07A55-5FA0-402D-BB22-FA8D3D8C484D", "vulnerable": true}, {"criteria": "cpe:2.3:a:softing:edgeconnector:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "62FE322E-A720-4E08-9058-3BAC295E720B", "vulnerable": true}, {"criteria": "cpe:2.3:a:softing:opc:5.2:*:*:*:*:*:*:*", "matchCriteriaId": "A9916828-8213-47D4-B294-8112B241F32C", "vulnerable": true}, {"criteria": "cpe:2.3:a:softing:opc_ua_c\\+\\+_software_development_kit:6:*:*:*:*:*:*:*", "matchCriteriaId": "BA185EBD-8048-4B1C-A476-4AE61831ACF7", "vulnerable": true}, {"criteria": "cpe:2.3:a:softing:secure_integration_server:1.22:*:*:*:*:*:*:*", "matchCriteriaId": "0BF8EC24-9C94-4C55-A496-5DD524B981C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:softing:uagates:1.74:*:*:*:*:*:*:*", "matchCriteriaId": "2DD68DEC-1E1C-456F-8FC2-F3EF9A72B012", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A crafted HTTP packet without a content-type header can create a denial-of-service condition in Softing Secure Integration Server V1.22."}, {"lang": "es", "value": "Un paquete HTTP dise\u00f1ado sin un encabezado de tipo de contenido puede crear una condici\u00f3n de denegaci\u00f3n de servicio en Softing Secure Integration Server versi\u00f3n V1.22."}], "id": "CVE-2022-2547", "lastModified": "2022-08-19T01:43:28.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2022-08-17T21:15:09.337", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-4.html"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}