CVE-2022-2793 - OpenCVE

Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-353 Missing Support for Integrity Check, and has no authentication or authorization of data packets after establishing a connection for the SRTP protocol.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Emerson	Electric\'s Proficy

Configuration 1 [-]

cpe:2.3:a:emerson:electric\'s_proficy:*:*:*:*:machine:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-06

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-08-19T22:33:42

Updated: 2024-08-03T00:46:04.386Z

Reserved: 2022-08-11T00:00:00

Link: CVE-2022-2793

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-19T23:15:09.410

Modified: 2022-08-24T16:12:32.093

Link: CVE-2022-2793

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Proficy Machine Edition", "vendor": "Emerson Electric", "versions": [{"lessThanOrEqual": "9.00", "status": "affected", "version": "all", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Sharon Brizinov of Claroty reported this vulnerability to Emerson and CISA"}], "descriptions": [{"lang": "en", "value": "Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-353 Missing Support for Integrity Check, and has no authentication or authorization of data packets after establishing a connection for the SRTP protocol."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-353", "description": "CWE-353 Missing Support for Integrity Check", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-19T22:33:42", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-06"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-2793", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Proficy Machine Edition", "version": {"version_data": [{"version_affected": "<=", "version_name": "all", "version_value": "9.00"}]}}]}, "vendor_name": "Emerson Electric"}]}}, "credit": [{"lang": "eng", "value": "Sharon Brizinov of Claroty reported this vulnerability to Emerson and CISA"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-353 Missing Support for Integrity Check, and has no authentication or authorization of data packets after establishing a connection for the SRTP protocol."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-353 Missing Support for Integrity Check"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-06", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-06"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:46:04.386Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-06"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-2793", "datePublished": "2022-08-19T22:33:42", "dateReserved": "2022-08-11T00:00:00", "dateUpdated": "2024-08-03T00:46:04.386Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emerson:electric\\'s_proficy:*:*:*:*:machine:*:*:*", "matchCriteriaId": "7CC0C589-A7E7-4E9F-A6F1-566DD183D2E4", "versionEndIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-353 Missing Support for Integrity Check, and has no authentication or authorization of data packets after establishing a connection for the SRTP protocol."}, {"lang": "es", "value": "Emerson Electrics Proficy Machine Edition versiones 9.00 y anteriores, es vulnerable a CWE-353 Falta de Soporte para la Comprobaci\u00f3n de Integridad , y no presenta autenticaci\u00f3n o autorizaci\u00f3n de paquetes de datos despu\u00e9s de establecer una conexi\u00f3n para el protocolo SRTP."}], "id": "CVE-2022-2793", "lastModified": "2022-08-24T16:12:32.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.2, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2022-08-19T23:15:09.410", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-06"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-353"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}