CVE-2023-22805 - OpenCVE

LS ELECTRIC XBC-DN32U with operating system version 01.80 has improper access control to its read prohibition feature. This could allow a remote attacker to remotely set the feature to lock users out of reading data from the device.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ls-electric	Xbc-dn32u Xbc-dn32u Firmware

Configuration 1 [-]

AND

cpe:2.3:o:ls-electric:xbc-dn32u_firmware:01.80:*:*:*:*:*:*:*

cpe:2.3:h:ls-electric:xbc-dn32u:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2023-02-15T17:27:50.026Z

Updated: 2024-08-02T10:20:30.904Z

Reserved: 2023-01-06T18:49:55.855Z

Link: CVE-2023-22805

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-02-15T18:15:11.923

Modified: 2023-11-07T04:07:25.357

Link: CVE-2023-22805

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-22805", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2023-01-06T18:49:55.855Z", "datePublished": "2023-02-15T17:27:50.026Z", "dateUpdated": "2024-08-02T10:20:30.904Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "XBC-DN32U", "vendor": "LS Electric", "versions": [{"status": "affected", "version": "Operating System Version 01.80"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "HeeA Go of Dankook University reported these vulnerabilities"}], "datePublic": "2023-02-09T21:03:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>LS ELECTRIC XBC-DN32U with operating system version 01.80 has improper access control to its read prohibition feature. This could allow a remote attacker to remotely set the feature to lock users out of reading data from the device.</p>"}], "value": "LS ELECTRIC XBC-DN32U with operating system version 01.80 has improper access control to its read prohibition feature. This could allow a remote attacker to remotely set the feature to lock users out of reading data from the device.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-02-15T17:27:50.026Z"}, "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-02"}], "source": {"discovery": "EXTERNAL"}, "title": "CVE-2023-22805", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p>LS ELECTRIC is developing mitigations (to be released tentatively by the end of 2023) and recommends users follow the provided workarounds to reduce the risk of exploitation: </p><ul><li>Restrict communication to the PLC to only trusted IP addresses and trusted devices by enabling the \u201cHost Table\u201d option in the configuration window of the PLC. </li></ul>\n\n<br>"}], "value": "\nLS ELECTRIC is developing mitigations (to be released tentatively by the end of 2023) and recommends users follow the provided workarounds to reduce the risk of exploitation: \n\n * Restrict communication to the PLC to only trusted IP addresses and trusted devices by enabling the \u201cHost Table\u201d option in the configuration window of the PLC. \n\n\n\n\n\n"}], "x_generator": {"engine": "VINCE 2.0.6", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2023-22805"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:20:30.904Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-02", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ls-electric:xbc-dn32u_firmware:01.80:*:*:*:*:*:*:*", "matchCriteriaId": "242DFA36-841D-457E-B4B7-592A73993C76", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ls-electric:xbc-dn32u:-:*:*:*:*:*:*:*", "matchCriteriaId": "78A41BC8-F37E-41EE-BA99-AC992AC24F32", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LS ELECTRIC XBC-DN32U with operating system version 01.80 has improper access control to its read prohibition feature. This could allow a remote attacker to remotely set the feature to lock users out of reading data from the device.\n\n"}], "id": "CVE-2023-22805", "lastModified": "2023-11-07T04:07:25.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2023-02-15T18:15:11.923", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}