cve-2024-3467
Vulnerability from cvelistv5
Published
2024-06-12 21:04
Modified
2024-08-01 20:12
Severity
Summary
Deserialization of Untrusted Data in AVEVA PI Asset Framework Client
References
Impacted products
| Vendor | Product |
|---|---|
| AVEVA | PI Asset Framework Client |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:aveva:pi_asset_framework_client:2023:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pi_asset_framework_client",
"vendor": "aveva",
"versions": [
{
"status": "affected",
"version": "2023"
}
]
},
{
"cpes": [
"cpe:2.3:a:aveva:pi_asset_framework_client:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pi_asset_framework_client",
"vendor": "aveva",
"versions": [
{
"lessThanOrEqual": "2018",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3467",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T18:12:24.328615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T18:32:56.636Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:12:07.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"government-resource",
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PI Asset Framework Client",
"vendor": "AVEVA",
"versions": [
{
"status": "affected",
"version": "2023"
},
{
"lessThanOrEqual": "2018 SP3 P04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "AVEVA reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThere is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.\u003c/span\u003e"
}
],
"value": "There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T21:04:26.635Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003eAVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:\u003c/p\u003e\u003cul\u003e\u003cli\u003e(Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later:\u003cbr\u003eFrom \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://my.osisoft.com/\"\u003eOSI Soft Customer Portal\u003c/a\u003e, search for \"Asset Framework\" and select \"PI Asset Framework (AF) Client 2023 Patch 1\" or later.\u003c/li\u003e\u003cli\u003e(Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later:\u003cbr\u003eFrom \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://my.osisoft.com/\"\u003eOSI Soft Customer Portal\u003c/a\u003e, search for \"Asset Framework\" and select either \"PI Asset Framework (AF) Client 2018 SP3 Patch 5\" or later.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAVEVA further recommends users follow general defensive measures:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRun PI System Explorer as a least privilege interactive account when possible.\u003c/li\u003e\u003cli\u003eEstablish procedures for verifying the source of XML is trusted before importing into PI System Explorer.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor additional information please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.aveva.com/en/support-and-success/cyber-security-updates/\"\u003eAVEVA-2024-004\u003c/a\u003e\u003c/p\u003e"
}
],
"value": "AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:\n\n * (Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later:\nFrom OSI Soft Customer Portal https://my.osisoft.com/ , search for \"Asset Framework\" and select \"PI Asset Framework (AF) Client 2023 Patch 1\" or later.\n * (Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later:\nFrom OSI Soft Customer Portal https://my.osisoft.com/ , search for \"Asset Framework\" and select either \"PI Asset Framework (AF) Client 2018 SP3 Patch 5\" or later.\n\n\nAVEVA further recommends users follow general defensive measures:\n\n * Run PI System Explorer as a least privilege interactive account when possible.\n * Establish procedures for verifying the source of XML is trusted before importing into PI System Explorer.\n\n\nFor additional information please refer to AVEVA-2024-004 https://www.aveva.com/en/support-and-success/cyber-security-updates/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Deserialization of Untrusted Data in AVEVA PI Asset Framework Client",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-3467",
"datePublished": "2024-06-12T21:04:26.635Z",
"dateReserved": "2024-04-08T15:55:44.665Z",
"dateUpdated": "2024-08-01T20:12:07.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-3467\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2024-06-12T21:15:50.617\",\"lastModified\":\"2024-06-13T18:36:09.010\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad en AVEVA PI Asset Framework Client que podr\u00eda permitir que se ejecute c\u00f3digo malicioso en el entorno de PI System Explorer bajo los privilegios de un usuario interactivo que fue manipulado socialmente para importar XML proporcionado por un atacante.\"}],\"metrics\":{},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}"
}
}
Loading...