CVE-2022-35222 - Vulnerability Details - OpenCVE

HiCOS Citizen verification component has a stack-based buffer overflow vulnerability due to insufficient parameter length validation. An unauthenticated physical attacker can exploit this vulnerability to execute arbitrary code, manipulate system command or disrupt service.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00069.

Key SSVC decision points have not yet been added.

Vendors	Products
Hinet	Hicos Natural Person Credential Component Client

Configuration 1 [-]

OR	cpe:2.3:a:hinet:hicos_natural_person_credential_component_client:3.0.3.30306:::::linux::
	cpe:2.3:a:hinet:hicos_natural_person_credential_component_client:3.0.3.30404:::::macos::
	cpe:2.3:a:hinet:hicos_natural_person_credential_component_client:3.1.0.00002:::::windows::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-38114	HiCOS Citizen verification component has a stack-based buffer overflow vulnerability due to insufficient parameter length validation. An unauthenticated physical attacker can exploit this vulnerability to execute arbitrary code, manipulate system command or disrupt service.

Fixes

Solution

Download the latest version

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-6363-f5ec2-1.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2022-08-02T15:21:00.177208Z

Updated: 2024-09-16T20:37:53.650Z

Reserved: 2022-07-05T00:00:00

Link: CVE-2022-35222

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-08-02T16:15:10.820

Modified: 2024-11-21T07:10:55.340

Link: CVE-2022-35222

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"platforms": ["Linux"], "product": "HiCOS Citizen verification component - Stack Buffer Overflow", "vendor": "HINET", "versions": [{"status": "affected", "version": "libHicos_p11v1.so CHT PKCS#11 3.0.3.30306"}]}, {"platforms": ["Windows"], "product": "HiCOS Citizen verification component - Stack Buffer Overflow", "vendor": "HINET", "versions": [{"status": "affected", "version": "HiCOSPKCS11.dll CHT PKCS#11 3.1.0.00002"}]}, {"platforms": ["macOS"], "product": "HiCOS Citizen verification component - Stack Buffer Overflow", "vendor": "HINET", "versions": [{"status": "affected", "version": "libHicos_p11v1.dylib CHT PKCS#11 3.0.3.30404"}]}], "datePublic": "2022-07-29T00:00:00", "descriptions": [{"lang": "en", "value": "HiCOS Citizen verification component has a stack-based buffer overflow vulnerability due to insufficient parameter length validation. An unauthenticated physical attacker can exploit this vulnerability to execute arbitrary code, manipulate system command or disrupt service."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-02T15:21:00", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-6363-f5ec2-1.html"}], "solutions": [{"lang": "en", "value": "Download the latest version"}], "source": {"advisory": "TVN-202207006", "discovery": "EXTERNAL"}, "title": "HiCOS Citizen verification component - Stack Buffer Overflow", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2022-07-29T06:52:00.000Z", "ID": "CVE-2022-35222", "STATE": "PUBLIC", "TITLE": "HiCOS Citizen verification component - Stack Buffer Overflow"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "HiCOS Citizen verification component - Stack Buffer Overflow", "version": {"version_data": [{"platform": "Linux", "version_affected": "=", "version_value": "libHicos_p11v1.so CHT PKCS#11 3.0.3.30306"}, {"platform": "Windows", "version_affected": "=", "version_value": "HiCOSPKCS11.dll CHT PKCS#11 3.1.0.00002"}, {"platform": "macOS", "version_affected": "=", "version_value": "libHicos_p11v1.dylib CHT PKCS#11 3.0.3.30404"}]}}]}, "vendor_name": "HINET"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "HiCOS Citizen verification component has a stack-based buffer overflow vulnerability due to insufficient parameter length validation. An unauthenticated physical attacker can exploit this vulnerability to execute arbitrary code, manipulate system command or disrupt service."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-787 Out-of-bounds Write"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-6363-f5ec2-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-6363-f5ec2-1.html"}]}, "solution": [{"lang": "en", "value": "Download the latest version"}], "source": {"advisory": "TVN-202207006", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:29:17.452Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-6363-f5ec2-1.html"}]}]}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2022-35222", "datePublished": "2022-08-02T15:21:00.177208Z", "dateReserved": "2022-07-05T00:00:00", "dateUpdated": "2024-09-16T20:37:53.650Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hinet:hicos_natural_person_credential_component_client:3.0.3.30306:*:*:*:*:linux:*:*", "matchCriteriaId": "2C3A74A9-114E-4326-B71C-83FFA3580E63", "vulnerable": true}, {"criteria": "cpe:2.3:a:hinet:hicos_natural_person_credential_component_client:3.0.3.30404:*:*:*:*:macos:*:*", "matchCriteriaId": "7800A8CE-C635-4E00-8BEA-E3E4D4EC9378", "vulnerable": true}, {"criteria": "cpe:2.3:a:hinet:hicos_natural_person_credential_component_client:3.1.0.00002:*:*:*:*:windows:*:*", "matchCriteriaId": "48F1D51B-28F3-4952-BB19-9BCA637DF577", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "HiCOS Citizen verification component has a stack-based buffer overflow vulnerability due to insufficient parameter length validation. An unauthenticated physical attacker can exploit this vulnerability to execute arbitrary code, manipulate system command or disrupt service."}, {"lang": "es", "value": "El componente de verificaci\u00f3n HiCOS Citizen presenta una vulnerabilidad de desbordamiento de b\u00fafer en la regi\u00f3n stack de la memoria debido a la insuficiente comprobaci\u00f3n de la longitud de los par\u00e1metros. Un atacante f\u00edsico no autenticado puede explotar esta vulnerabilidad para ejecutar c\u00f3digo arbitrario, manipular el comando del sistema o interrumpir el servicio"}], "id": "CVE-2022-35222", "lastModified": "2024-11-21T07:10:55.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "twcert@cert.org.tw", "type": "Secondary"}]}, "published": "2022-08-02T16:15:10.820", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-6363-f5ec2-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-6363-f5ec2-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "twcert@cert.org.tw", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}