CVE-2022-26034

Improper authentication vulnerability in the communication protocol provided by AD (Automation Design) server of CENTUM VP R6.01.10 to R6.09.00, CENTUM VP Small R6.01.10 to R6.09.00, CENTUM VP Basic R6.01.10 to R6.09.00, and B/M9000 VP R8.01.01 to R8.03.01 allows an attacker to use the functions provided by AD server. This may lead to leakage or tampering of data managed by AD server.

CVSS v3.0 9.1 CRITICAL
CVSS v2.0 5.8 MEDIUM

9.1^/10

CVSS v3.0 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://jvn.jp/vu/JVNVU99204686/index.html	Third Party Advisory
https://www.yokogawa.com/library/resources/white-papers/yokogawa-security-advisory-report-list/	Vendor Advisory

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:yokogawa:b\/m9000_vp::::::::
	cpe:2.3:a:yokogawa:centum_vp:::::basic:::*
	cpe:2.3:a:yokogawa:centum_vp:::::-:::*
	cpe:2.3:a:yokogawa:centum_vp:::::small:::*

Information

Published : 2022-04-14 19:15

Updated : 2022-04-22 11:45

NVD link : CVE-2022-26034

Mitre link : CVE-2022-26034

JSON object : View

CWE

CWE-287

Improper Authentication

Advertisement

Products Affected

yokogawa

centum_vp
b\/m9000_vp

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://jvn.jp/vu/JVNVU99204686/index.html", "name": "https://jvn.jp/vu/JVNVU99204686/index.html", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "https://www.yokogawa.com/library/resources/white-papers/yokogawa-security-advisory-report-list/", "name": "https://www.yokogawa.com/library/resources/white-papers/yokogawa-security-advisory-report-list/", "tags": ["Vendor Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Improper authentication vulnerability in the communication protocol provided by AD (Automation Design) server of CENTUM VP R6.01.10 to R6.09.00, CENTUM VP Small R6.01.10 to R6.09.00, CENTUM VP Basic R6.01.10 to R6.09.00, and B/M9000 VP R8.01.01 to R8.03.01 allows an attacker to use the functions provided by AD server. This may lead to leakage or tampering of data managed by AD server."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-287"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-26034", "ASSIGNER": "vultures@jpcert.or.jp"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 4.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}}, "publishedDate": "2022-04-15T02:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:yokogawa:b\\/m9000_vp:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "r8.03.01", "versionStartIncluding": "r8.01.01"}, {"cpe23Uri": "cpe:2.3:a:yokogawa:centum_vp:*:*:*:*:basic:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "r06.09.00", "versionStartIncluding": "r6.01.10"}, {"cpe23Uri": "cpe:2.3:a:yokogawa:centum_vp:*:*:*:*:-:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "r6.09.00", "versionStartIncluding": "r6.01.10"}, {"cpe23Uri": "cpe:2.3:a:yokogawa:centum_vp:*:*:*:*:small:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "r6.09.00", "versionStartIncluding": "r6.01.10"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-04-22T18:45Z"}