github - ghsa-x475-4gwh-773r

ghsa-x475-4gwh-773r

Vulnerability from github

Published

2022-08-18 00:00

Modified

2022-08-20 00:00

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-1748"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-17T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability.",
  "id": "GHSA-x475-4gwh-773r",
  "modified": "2022-08-20T00:00:46Z",
  "published": "2022-08-18T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1748"
    },
    {
      "type": "WEB",
      "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

cve-2022-1748

Vulnerability from cvelistv5

Published

2022-08-17 20:08

Modified

2024-08-03 00:16

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Softing Secure Integration Server NULL Pointer Dereference

References

▼	URL	Tags
	https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04	x_refsource_CONFIRM
	https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	Softing	Secure Integration Server
	Softing	OPC UA C++ SDK
	Softing	edgeConnector Siemens
	Softing	edgeConnector 840D
	Softing	edgeConnector Modbus
	Softing	edgeAggregator

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:16:59.941Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Secure Integration Server",
          "vendor": "Softing",
          "versions": [
            {
              "status": "affected",
              "version": "V1.22"
            }
          ]
        },
        {
          "product": "OPC UA C++ SDK",
          "vendor": "Softing",
          "versions": [
            {
              "status": "affected",
              "version": "V6.00"
            }
          ]
        },
        {
          "product": "edgeConnector Siemens",
          "vendor": "Softing",
          "versions": [
            {
              "status": "affected",
              "version": "V3.10"
            }
          ]
        },
        {
          "product": "edgeConnector 840D",
          "vendor": "Softing",
          "versions": [
            {
              "status": "affected",
              "version": "V3.10"
            }
          ]
        },
        {
          "product": "edgeConnector Modbus",
          "vendor": "Softing",
          "versions": [
            {
              "status": "affected",
              "version": "V3.10"
            }
          ]
        },
        {
          "product": "edgeAggregator",
          "vendor": "Softing",
          "versions": [
            {
              "status": "affected",
              "version": "V3.10"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Pedro Ribeiro and Radek Domanski, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to Softing and CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476: NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-17T20:08:38",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Softing released new versions to address these vulnerabilities and notified known users of the releases. Users are advised to update to the new versions:\nSofting Secure Integration Server V1.30 \n\nThe latest software packages can be downloaded from the Softing website. \n\nSofting recommends the following mitigations and workarounds: \nChange the admin password or create a new user with administrative rights and delete the default admin user. \nConfigure the Windows firewall to block network requests to IP port 9000. \nDisable the HTTP Server in NGINX configuration of the Softing Secure Integration Server, only using the HTTPS server. \nFor more details on these vulnerabilities and mitigations, users should see SYT-2022-7 on the Softing security website."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Softing Secure Integration Server NULL Pointer Dereference",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2022-1748",
          "STATE": "PUBLIC",
          "TITLE": "Softing Secure Integration Server NULL Pointer Dereference"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Secure Integration Server",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "V1.22"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "OPC UA C++ SDK",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "V6.00"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "edgeConnector Siemens",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "V3.10"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "edgeConnector 840D",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "V3.10"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "edgeConnector Modbus",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "V3.10"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "edgeAggregator",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "V3.10"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Softing"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Pedro Ribeiro and Radek Domanski, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to Softing and CISA."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Softing OPC UA C++ Server SDK, Secure Integration Server, edgeConnector, edgeAggregator, OPC Suite, and uaGate are affected by a NULL pointer dereference vulnerability."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-476: NULL Pointer Dereference"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04",
              "refsource": "CONFIRM",
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-04"
            },
            {
              "name": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html",
              "refsource": "CONFIRM",
              "url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-7.html"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Softing released new versions to address these vulnerabilities and notified known users of the releases. Users are advised to update to the new versions:\nSofting Secure Integration Server V1.30 \n\nThe latest software packages can be downloaded from the Softing website. \n\nSofting recommends the following mitigations and workarounds: \nChange the admin password or create a new user with administrative rights and delete the default admin user. \nConfigure the Windows firewall to block network requests to IP port 9000. \nDisable the HTTP Server in NGINX configuration of the Softing Secure Integration Server, only using the HTTPS server. \nFor more details on these vulnerabilities and mitigations, users should see SYT-2022-7 on the Softing security website."
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2022-1748",
    "datePublished": "2022-08-17T20:08:38",
    "dateReserved": "2022-05-16T00:00:00",
    "dateUpdated": "2024-08-03T00:16:59.941Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted