CVE-2023-1552 (GCVE-0-2023-1552)

Vulnerability from cvelistv5 – Published: 2023-04-11 14:38 – Updated: 2025-02-06 21:44
VLAI?
Summary
ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user's context through the deserialization of an untrusted configuration file. Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors.  Customers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power's Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user. 
Severity ?
2.9 (Low)
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
6.4 (Medium)
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L
CWE
  • CVE-502
Assigner
References
Impacted products
Vendor Product Version
GE Gas Power ToolboxST Affected: 0 , < 7.10 (custom)
Create a notification for this product.
Credits
Sharon Brizinov of Claroty
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:49:11.676Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.ge.com/content/dam/cyber_security/global/en_US/pdfs/2023-03-23_ToolboxST_Deserialization_of_Untrusted_Configuration_Data.pdf"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-1552",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-06T21:43:10.282154Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-06T21:44:02.467Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "ToolboxST",
          "vendor": "GE Gas Power",
          "versions": [
            {
              "lessThan": "7.10",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "analyst",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Sharon Brizinov of Claroty"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user\u0027s context through the deserialization of an untrusted configuration file.\u0026nbsp;Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eCustomers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power\u0027s Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user.\u0026nbsp;"
            }
          ],
          "value": "ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user\u0027s context through the deserialization of an untrusted configuration file.\u00a0Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors.\u00a0\n\nCustomers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power\u0027s Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user.\u00a0"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-586",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-586 Object Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "Gas Power Deployment - Local Attack"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "Gas Power Deployment - Social Engineering Attack"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CVE-502",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-11T14:38:16.504Z",
        "orgId": "2cf0fb33-79e2-44e0-beb8-826cc5ce3250",
        "shortName": "GE GP"
      },
      "references": [
        {
          "url": "https://www.ge.com/content/dam/cyber_security/global/en_US/pdfs/2023-03-23_ToolboxST_Deserialization_of_Untrusted_Configuration_Data.pdf"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to ToolboxST version \u0026gt;=7.10 (available in ControlST \u0026gt;=7.10)"
            }
          ],
          "value": "Update to ToolboxST version \u003e=7.10 (available in ControlST \u003e=7.10)"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ToolboxST Deserialization of Untrusted Configuration Data",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2cf0fb33-79e2-44e0-beb8-826cc5ce3250",
    "assignerShortName": "GE GP",
    "cveId": "CVE-2023-1552",
    "datePublished": "2023-04-11T14:38:16.504Z",
    "dateReserved": "2023-03-21T18:08:24.597Z",
    "dateUpdated": "2025-02-06T21:44:02.467Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ge:toolboxst:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"7.10\", \"matchCriteriaId\": \"8D1460BD-43AF-4C48-A19C-C423264A921B\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user\u0027s context through the deserialization of an untrusted configuration file.\\u00a0Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors.\\u00a0\\n\\nCustomers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power\u0027s Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user.\\u00a0\"}]",
      "id": "CVE-2023-1552",
      "lastModified": "2024-11-21T07:39:25.600",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"GEPowerCVD@ge.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L\", \"baseScore\": 6.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 0.6, \"impactScore\": 5.3}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}]}",
      "published": "2023-04-11T15:15:10.397",
      "references": "[{\"url\": \"https://www.ge.com/content/dam/cyber_security/global/en_US/pdfs/2023-03-23_ToolboxST_Deserialization_of_Untrusted_Configuration_Data.pdf\", \"source\": \"GEPowerCVD@ge.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.ge.com/content/dam/cyber_security/global/en_US/pdfs/2023-03-23_ToolboxST_Deserialization_of_Untrusted_Configuration_Data.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "GEPowerCVD@ge.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-1552\",\"sourceIdentifier\":\"GEPowerCVD@ge.com\",\"published\":\"2023-04-11T15:15:10.397\",\"lastModified\":\"2024-11-21T07:39:25.600\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user\u0027s context through the deserialization of an untrusted configuration file.\u00a0Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors.\u00a0\\n\\nCustomers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power\u0027s Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user.\u00a0\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"GEPowerCVD@ge.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.6,\"impactScore\":5.3},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ge:toolboxst:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.10\",\"matchCriteriaId\":\"8D1460BD-43AF-4C48-A19C-C423264A921B\"}]}]}],\"references\":[{\"url\":\"https://www.ge.com/content/dam/cyber_security/global/en_US/pdfs/2023-03-23_ToolboxST_Deserialization_of_Untrusted_Configuration_Data.pdf\",\"source\":\"GEPowerCVD@ge.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.ge.com/content/dam/cyber_security/global/en_US/pdfs/2023-03-23_ToolboxST_Deserialization_of_Untrusted_Configuration_Data.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.ge.com/content/dam/cyber_security/global/en_US/pdfs/2023-03-23_ToolboxST_Deserialization_of_Untrusted_Configuration_Data.pdf\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T05:49:11.676Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-1552\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-06T21:43:10.282154Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-06T21:43:52.945Z\"}}], \"cna\": {\"title\": \"ToolboxST Deserialization of Untrusted Configuration Data\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"analyst\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Sharon Brizinov of Claroty\"}], \"impacts\": [{\"capecId\": \"CAPEC-586\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-586 Object Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 2.9, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"Gas Power Deployment - Local Attack\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"Gas Power Deployment - Social Engineering Attack\"}]}], \"affected\": [{\"vendor\": \"GE Gas Power\", \"product\": \"ToolboxST\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"7.10\", \"versionType\": \"custom\"}], \"platforms\": [\"Windows\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update to ToolboxST version \u003e=7.10 (available in ControlST \u003e=7.10)\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Update to ToolboxST version \u0026gt;=7.10 (available in ControlST \u0026gt;=7.10)\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.ge.com/content/dam/cyber_security/global/en_US/pdfs/2023-03-23_ToolboxST_Deserialization_of_Untrusted_Configuration_Data.pdf\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user\u0027s context through the deserialization of an untrusted configuration file.\\u00a0Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors.\\u00a0\\n\\nCustomers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power\u0027s Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user.\\u00a0\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user\u0027s context through the deserialization of an untrusted configuration file.\u0026nbsp;Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eCustomers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power\u0027s Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user.\u0026nbsp;\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CVE-502\"}]}], \"providerMetadata\": {\"orgId\": \"2cf0fb33-79e2-44e0-beb8-826cc5ce3250\", \"shortName\": \"GE GP\", \"dateUpdated\": \"2023-04-11T14:38:16.504Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-1552\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-06T21:44:02.467Z\", \"dateReserved\": \"2023-03-21T18:08:24.597Z\", \"assignerOrgId\": \"2cf0fb33-79e2-44e0-beb8-826cc5ce3250\", \"datePublished\": \"2023-04-11T14:38:16.504Z\", \"assignerShortName\": \"GE GP\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.