CVE-2022-3228 - Vulnerability Details - OpenCVE

Description

Using custom code, an attacker can write into name or description fields larger than the appropriate buffer size causing a stack-based buffer overflow on Host Engineering H0-ECOM100 Communications Module Firmware versions v5.0.155 and prior. This may allow an attacker to crash the affected device or cause it to become unresponsive.

Published: 2022-10-28

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Host Engineering

H0-ECOM100 Communications Module

affected

Version	Status	Constraints
`All versions`	affected	≤ Firmware v5.0.155

Configuration 1 [-]

AND

cpe:2.3:o:hosteng:h0-ecom100_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:hosteng:h0-ecom100:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-42639	Using custom code, an attacker can write into name or description fields larger than the appropriate buffer size causing a stack-based buffer overflow on Host Engineering H0-ECOM100 Communications Module Firmware versions v5.0.155 and prior. This may allow an attacker to crash the affected device or cause it to become unresponsive.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00083.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-04

History

No history.

Subscriptions

Hosteng H0-ecom100 H0-ecom100 Firmware

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-10-28T17:17:46.811Z

Updated: 2025-04-16T16:07:13.798Z

Reserved: 2022-09-15T00:00:00.000Z

Link: CVE-2022-3228

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-10-28T18:15:12.077

Modified: 2024-11-21T07:19:05.823

Link: CVE-2022-3228

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-3228", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "datePublished": "2022-10-28T17:17:46.811Z", "dateUpdated": "2025-04-16T16:07:13.798Z", "dateReserved": "2022-09-15T00:00:00.000Z"}, "containers": {"cna": {"datePublic": "2022-09-20T00:00:00.000Z", "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-10-28T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Using custom code, an attacker can write into name or description fields larger than the appropriate buffer size causing a stack-based buffer overflow on Host Engineering H0-ECOM100 Communications Module Firmware versions v5.0.155 and prior. This may allow an attacker to crash the affected device or cause it to become unresponsive."}], "affected": [{"vendor": "Host Engineering", "product": "H0-ECOM100 Communications Module", "versions": [{"version": "All versions", "status": "affected", "lessThanOrEqual": "Firmware v5.0.155", "versionType": "custom"}]}], "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-04"}], "credits": [{"lang": "en", "value": "David Formby and Caleb Purcell of Fortiphyd Logic reported this vulnerability."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-121 Stack-based Buffer Overflow", "cweId": "CWE-121"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:00:10.822Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-04", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T15:49:29.267408Z", "id": "CVE-2022-3228", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T16:07:13.798Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hosteng:h0-ecom100_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5293838-57AE-458F-92A9-C0EC65F98C53", "versionEndExcluding": "5.0.156", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hosteng:h0-ecom100:-:*:*:*:*:*:*:*", "matchCriteriaId": "CEDEBE22-73C0-4F46-BA93-28D3677E4DA4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Using custom code, an attacker can write into name or description fields larger than the appropriate buffer size causing a stack-based buffer overflow on Host Engineering H0-ECOM100 Communications Module Firmware versions v5.0.155 and prior. This may allow an attacker to crash the affected device or cause it to become unresponsive."}, {"lang": "es", "value": "Usando c\u00f3digo personalizado, un atacante puede escribir en campos de nombre o descripci\u00f3n m\u00e1s grandes que el tama\u00f1o de b\u00fafer apropiado, lo que provoca un Desbordamiento del B\u00fafer en Host Engineering H0-ECOM100 Communications Module Firmware en las versiones v5.0.155 y anteriores. Esto puede permitir que un atacante bloquee el dispositivo afectado o que deje de responder."}], "id": "CVE-2022-3228", "lastModified": "2024-11-21T07:19:05.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-28T18:15:12.077", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-04"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-04"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}