CVE-2024-22182 - OpenCVE

A remote, unauthenticated attacker may be able to send crafted messages to the web server of the Commend WS203VICM causing the system to restart, interrupting service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://clibrary-online.commend.com/en/cyber-security/security-advisories.html
https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-03-01T20:52:59.597Z

Updated: 2024-08-12T20:25:02.479Z

Reserved: 2024-01-30T22:06:32.541Z

Link: CVE-2024-22182

Vulnrichment

Updated: 2024-08-01T22:35:34.932Z

NVD

Status : Awaiting Analysis

Published: 2024-03-01T21:15:08.167

Modified: 2024-08-12T21:15:31.830

Link: CVE-2024-22182

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22182", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-01-30T22:06:32.541Z", "datePublished": "2024-03-01T20:52:59.597Z", "dateUpdated": "2024-08-12T20:25:02.479Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WS203VICM", "vendor": "Commend", "versions": [{"lessThanOrEqual": "1.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Aar\u00f3n Flecha Men\u00e9ndez of S21sec reported these vulnerabilities to CISA."}], "datePublic": "2024-02-20T20:48:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\nA remote, unauthenticated attacker may be able to send crafted messages \nto the web server of the Commend WS203VICM causing the system to \nrestart, interrupting service.\n\n"}], "value": "A remote, unauthenticated attacker may be able to send crafted messages \nto the web server of the Commend WS203VICM causing the system to \nrestart, interrupting service.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "description": "CWE-88 Argument Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-03-01T20:52:59.597Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01"}, {"url": "https://clibrary-online.commend.com/en/cyber-security/security-advisories.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\nAlthough this is an end-of-life product, Commend has created new firmware <a target=\"_blank\" rel=\"nofollow\" href=\"https://clibrary-online.commend.com/\">version WS-CM 2.0</a> <span style=\"background-color: var(--wht);\"> to\n address the first two issues. The new firmware can be loaded via the \nprogram \"IP Station Config\". To install the firmware, follow the \ninstructions below:</span><ol>\n<li>Log in to the Commend web-portal.</li>\n<li>Download and extract the \"Terminals Software Package\".</li>\n<li>In \"IP Station Config\", select the stations to be updated in the table.</li>\n<li>Go to: Menu Station > Firmware Download</li>\n<li>Select the file \"WS-CM 2.0.geh\" from the folder \"WS-CM\" and click on the button Open.</li>\n</ol>\n<p>For additional information, please visit <a target=\"_blank\" rel=\"nofollow\" href=\"https://clibrary-online.commend.com/en/cyber-security/security-advisories.html\">CSA-2024-42 on Commend's cybersecurity website.</a></p>\n\n<br>"}], "value": "Although this is an end-of-life product, Commend has created new firmware version WS-CM 2.0 https://clibrary-online.commend.com/ \u00a0\u00a0to\n address the first two issues. The new firmware can be loaded via the \nprogram \"IP Station Config\". To install the firmware, follow the \ninstructions below:\n * Log in to the Commend web-portal.\n\n * Download and extract the \"Terminals Software Package\".\n\n * In \"IP Station Config\", select the stations to be updated in the table.\n\n * Go to: Menu Station > Firmware Download\n\n * Select the file \"WS-CM 2.0.geh\" from the folder \"WS-CM\" and click on the button Open.\n\n\nFor additional information, please visit CSA-2024-42 on Commend's cybersecurity website. https://clibrary-online.commend.com/en/cyber-security/security-advisories.html \n\n\n\n\n"}], "source": {"advisory": "ICSA-24-051-01", "discovery": "EXTERNAL"}, "tags": ["unsupported-when-assigned"], "title": "Commend WS203VICM Argument Injection", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.932Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01", "tags": ["x_transferred"]}, {"url": "https://clibrary-online.commend.com/en/cyber-security/security-advisories.html", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "commend", "product": "ws203vicm_firmware", "cpes": ["cpe:2.3:o:commend:ws203vicm_firmware:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-04T19:32:08.452696Z", "id": "CVE-2024-22182", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T20:25:02.479Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01", "tags": ["x_transferred"]}, {"url": "https://clibrary-online.commend.com/en/cyber-security/security-advisories.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.932Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22182", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-04T19:32:08.452696Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:commend:ws203vicm_firmware:*:*:*:*:*:*:*:*"], "vendor": "commend", "product": "ws203vicm_firmware", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.7"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T20:24:21.035Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "title": "Commend WS203VICM Argument Injection", "source": {"advisory": "ICSA-24-051-01", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Aar\u00f3n Flecha Men\u00e9ndez of S21sec reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Commend", "product": "WS203VICM", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.7"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Although this is an end-of-life product, Commend has created new firmware version WS-CM 2.0 https://clibrary-online.commend.com/ \u00a0\u00a0to\n address the first two issues. The new firmware can be loaded via the \nprogram \"IP Station Config\". To install the firmware, follow the \ninstructions below:\n * Log in to the Commend web-portal.\n\n * Download and extract the \"Terminals Software Package\".\n\n * In \"IP Station Config\", select the stations to be updated in the table.\n\n * Go to: Menu Station > Firmware Download\n\n * Select the file \"WS-CM 2.0.geh\" from the folder \"WS-CM\" and click on the button Open.\n\n\nFor additional information, please visit CSA-2024-42 on Commend's cybersecurity website. https://clibrary-online.commend.com/en/cyber-security/security-advisories.html \n\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\nAlthough this is an end-of-life product, Commend has created new firmware <a target=\"_blank\" rel=\"nofollow\" href=\"https://clibrary-online.commend.com/\">version WS-CM 2.0</a> <span style=\"background-color: var(--wht);\"> to\n address the first two issues. The new firmware can be loaded via the \nprogram \"IP Station Config\". To install the firmware, follow the \ninstructions below:</span><ol>\n<li>Log in to the Commend web-portal.</li>\n<li>Download and extract the \"Terminals Software Package\".</li>\n<li>In \"IP Station Config\", select the stations to be updated in the table.</li>\n<li>Go to: Menu Station > Firmware Download</li>\n<li>Select the file \"WS-CM 2.0.geh\" from the folder \"WS-CM\" and click on the button Open.</li>\n</ol>\n<p>For additional information, please visit <a target=\"_blank\" rel=\"nofollow\" href=\"https://clibrary-online.commend.com/en/cyber-security/security-advisories.html\">CSA-2024-42 on Commend's cybersecurity website.</a></p>\n\n<br>", "base64": false}]}], "datePublic": "2024-02-20T20:48:00.000Z", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01"}, {"url": "https://clibrary-online.commend.com/en/cyber-security/security-advisories.html"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A remote, unauthenticated attacker may be able to send crafted messages \nto the web server of the Commend WS203VICM causing the system to \nrestart, interrupting service.\n\n", "supportingMedia": [{"type": "text/html", "value": "\nA remote, unauthenticated attacker may be able to send crafted messages \nto the web server of the Commend WS203VICM causing the system to \nrestart, interrupting service.\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88 Argument Injection"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-03-01T20:52:59.597Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22182", "state": "PUBLISHED", "dateUpdated": "2024-08-12T20:25:02.479Z", "dateReserved": "2024-01-30T22:06:32.541Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2024-03-01T20:52:59.597Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}