View CSAF
1. EXECUTIVE SUMMARY
- CVSS v4 8.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: ABB
- Equipment: M2M Gateway
- Vulnerabilities: Integer Overflow or Wraparound, Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), Unquoted Search Path or Element, Untrusted Search Path, Use After Free, Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Missing Release of Memory after Effective Lifetime, Allocation of Resources Without Limits or Throttling, Improper Privilege Management, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Improper Restriction of Operations within the Bounds of a Memory Buffer, Incorrect Calculation of Buffer Size, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'), Access of Resource Using Incompatible Type ('Type Confusion'), Improper Input Validation, Uncontrolled Resource Consumption, Observable Discrepancy, Generation of Error Message Containing Sensitive Information, Improper Authentication, Improper Validation of Integrity Check Value, Inadequate Encryption Strength, Improper Removal of Sensitive Information Before Storage or Transfer, Exposure of Sensitive Information to an Unauthorized Actor
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to stop the product, make it inaccessible, take remote control of it, or insert and run arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
ABB reports that the following products are affected:
- M2M Gateway ARM600: Versions 4.1.2 up to and including 5.0.3
- M2M Gateway SW: Versions 5.0.1 up to and including 5.0.3
3.2 VULNERABILITY OVERVIEW
3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190
A vulnerability in Git arises from an issue with git attributes parsing. This flaw can lead to an integer overflow, potentially allowing authenticated attackers to execute arbitrary code or cause a denial-of-service.
CVE-2022-23521 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-23521. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 INTEGER OVERFLOW OR WRAPAROUND CWE-190
This vulnerability in Git involves a heap overflow in the git archive and git log --format commands. This flaw could potentially lead to remote code execution if exploited by an authenticated attacker.
CVE-2022-41903 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-41903. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 INCONSISTENT INTERPRETATION OF HTTP REQUESTS ('HTTP REQUEST/RESPONSE SMUGGLING') CWE-444
A vulnerability exists in Apache HTTP Server Versions 2.4.0 through 2.4.55. The vulnerability involves HTTP request smuggling due to certain mod_proxy configurations combined with RewriteRule or ProxyPassMatch directives. This flaw can allow an authenticated attacker to bypass access controls.
CVE-2023-25690 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-25690. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.4 UNQUOTED SEARCH PATH OR ELEMENT CWE-428
There is a vulnerability in the PKCS#11 feature of ssh-agent in OpenSSH versions before 9.3p2. It involves an insufficiently trustworthy search path, which can lead to remote code execution if an agent is forwarded by authenticated user to an attacker-controlled system.
CVE-2023-38408 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-38408. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.5 UNTRUSTED SEARCH PATH CWE-426
An untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 may allow remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent socket.
CVE-2016-10009 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2016-10009. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).
3.2.6 USE AFTER FREE CWE-416
A use-after-free vulnerability was found in systemd. This issue occurs because the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' do not increment the reference count for the DnsStream object. Consequently, other functions and callbacks can dereference the DnsStream object, causing a use-after-free condition when the reference is still used later. This vulnerability allows an authenticated user to execute arbitrary code.
CVE-2022-2526 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-2526. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.7 OUT-OF-BOUNDS WRITE CWE-787
zlib through Version 1.2.12 has a heap-based buffer over-read or buffer overflow vulnerability in inflate.c via a large gzip header extra field. This flaw potentially allows an authenticated attacker to reveal sensitive information or cause a denial-of-service situation.
CVE-2022-37434 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-37434. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.8 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW') CWE-120
A vulnerability in the HFS+ partition file parser of ClamAV Versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to execute arbitrary code. This vulnerability is due to a missing buffer size check, which may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device.
CVE-2023-20032 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-20032. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H).
3.2.9 MISSING RELEASE OF MEMORY AFTER EFFECTIVE LIFETIME CWE-401
An attacker can trigger a small memory leak by spoofing the target resolver with responses that have a malformed ECDSA signature. Over time, this can gradually erode available memory to the point where named crashes due to a lack of resources.
CVE-2022-38177 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2022-38177. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.10 MISSING RELEASE OF MEMORY AFTER EFFECTIVE LIFETIME CWE-401
An attacker can trigger a small memory leak by spoofing the target resolver with responses that have a malformed EdDSA signature. Over time, this can gradually erode available memory to the point where named crashes due to a lack of resources.
CVE-2022-38178 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2022-38178. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.11 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770
This vulnerability allows the configured max-cache-size limit to be significantly exceeded by querying the resolver for specific RRsets in a certain order. This can lead to a denial-of-service condition by exhausting all available memory on the host running named service.
CVE-2023-2828 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-2828. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H).
3.2.12 OUT-OF-BOUNDS WRITE CWE-787
The vulnerability involves the recursive processing of control channel messages sent to named, which can exhaust stack memory and cause named to terminate unexpectedly. Exploiting this flaw requires only network access to the control channel's configured TCP port, without needing a valid RNDC key.
CVE-2023-3341 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-3341. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.13 IMPROPER PRIVILEGE MANAGEMENT CWE-269
Local users with write access to UNIX domain sockets can bypass access controls and manipulate the multipath setup, potentially leading to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled due to the use of arithmetic ADD instead of bitwise OR.
CVE-2022-41974 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-41974. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.14 USE AFTER FREE CWE-416
libexpat versions before 2.4.9 have a use-after-free vulnerability in the doContent function in xmlparse.c.
CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-40674. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.15 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22
By feeding specially crafted input as authenticated attacker to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents, potentially leading to arbitrary code execution.
CVE-2023-25652 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2023-25652. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.16 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74
A specially crafted .gitmodules file with submodule URLs longer than 1024 characters can be used to exploit a bug in config.c::git_config_copy or rename section in file(). This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. If the attacker injects configuration values that specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) it can lead to remote code execution.
CVE-2023-29007 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-29007. A base score of 4.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H).
3.2.17 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119
A flaw was found in the Linux kernel's driver for the ASIX AX88179_178A-based USB 2.0/3.0 gigabit ethernet devices. The vulnerability includes multiple out-of-bounds reads and possible out-of-bounds writes.
CVE-2022-2964 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-2964. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.18 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119
There is a flaw in certain AMD EPYC, Ryzen, Threadripper, and Athlon processors related to the LONGJMP assembly command. This flaw could lead to arbitrary code execution. ARM600 servers include Intel processors, but there may be ARM600 SW installations running in AMD processor environments.
CVE-2021-26401 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2021-26401. A base score of 4.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N).
3.2.19 INCORRECT CALCULATION OF BUFFER SIZE CWE-131
A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem, affecting how an authenticated user changes certain kernel parameters and variables. This flaw allows a local user to crash the system or potentially escalate their privileges.
CVE-2022-4378 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-4378. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H).
3.2.20 USE AFTER FREE CWE-416
mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free vulnerability related to leaf anon_vma double re-use. This could lead to a system crash or elevation of privileges.
CVE-2022-42703 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2022-42703. A base score of 6.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.21 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION ('RACE CONDITION') CWE-362
A critical vulnerability was found in the Linux Kernel, affecting the function l2cap_reassemble_sdu in the file net/bluetooth/l2cap_core.c within the Bluetooth component. The manipulation of this function leads to a use-after-free condition, which could cause data leakage or denial-of-service conditions.
CVE-2022-3564 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-3564. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.22 USE AFTER FREE CWE-416
In the Linux kernel through Version 6.3.1, a use-after-free vulnerability in Netfilter nf_tables when processing batch requests can be exploited to perform arbitrary read and write operations on kernel memory. This could allow an unprivileged local user to gain root access.
CVE-2023-32233 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-32233. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.23 OUT-OF-BOUNDS WRITE CWE-787
The nftables component of the Linux kernel contains an out-of-bounds read/write vulnerability. The nft_byteorder function poorly handles vm register contents when CAP_NET_ADMIN is present in any user or network namespace. This vulnerability could lead to local user privilege escalation.
CVE-2023-35001 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-35001. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.24 USE AFTER FREE CWE-416
A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local user privilege escalation.
CVE-2023-3609 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-3609. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.25 OUT-OF-BOUNDS WRITE CWE-787
A missing netfilter macro could lead to a miscalculation of the h->nets array offset, providing attackers with the primitive to arbitrarily increment or decrement a memory buffer out-of-bounds. This vulnerability may allow a local user to crash the system or potentially escalate their privileges.
CVE-2023-42753 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-42753. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.26 INTEGER OVERFLOW OR WRAPAROUND CWE-190
PAC parsing in krb5 has integer overflows that may lead to denial-of-service.
CVE-2022-42898 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-42898. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.27 OUT-OF-BOUNDS WRITE CWE-787
An issue was discovered in function _libssh2packetadd in libssh2, which allows attackers to access out-of-bounds memory. This flaw could lead to a system crash if exploited by an authenticated attacker.
CVE-2020-22218 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2020-22218. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.28 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843
X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. When CRL checking is enabled, this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial-of-service.
CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-0286. A base score of 5.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.29 IMPROPER INPUT VALIDATION CWE-20
An issue in the urllib.parse component of Python allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. Successful exploitation of this vulnerability could allow an authenticated attacker to add or modify data.
CVE-2023-24329 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2023-24329. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.30 IMPROPER INPUT VALIDATION CWE-20
An issue allows malicious remote servers to write arbitrary files inside the directories of connecting peers. A malicious rsync server can overwrite arbitrary files in the rsync client target directory and subdirectories.
CVE-2022-29154 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-29154. A base score of 6.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.31 IMPROPER PRIVILEGE MANAGEMENT CWE-269
The sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This could lead to privilege escalation.
CVE-2023-22809 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-22809. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.32 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An issue in the Apache Portable Runtime Utility may allow a malicious attacker to cause an out-of-bounds write due to an integer overflow when encoding or decoding a very long string using the base64 family of functions. This could lead to data modification or a denial-of-service.
CVE-2022-25147 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2022-25147. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N).
3.2.33 INCONSISTENT INTERPRETATION OF HTTP REQUESTS ('HTTP REQUEST/RESPONSE SMUGGLING') CWE-444
When using forwarders, bogus NS records supplied by or via those forwarders may be cached and used by named if it needs to recurse for any reason. This could cause named to obtain and pass on potentially incorrect answers, leading to DNS cache poisoning. This vulnerability could potentially result in denial-of-service and information disclosure by an authenticated attacker.
CVE-2021-25220 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2021-25220. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.34 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
Processing large delegations may severely degrade resolver performance, effectively denying legitimate clients access to the DNS resolution service. This could lead to denial-of-service conditions.
CVE-2022-2795 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2022-2795. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.2.35 OUT-OF-BOUNDS WRITE CWE-787
drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel allows a user-space client to corrupt the monitor's internal memory. This could lead to denial-of-service or information disclosure conditions if exploited by an authenticated attacker.
CVE-2022-43750 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-43750. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.36 OBSERVABLE DISCREPANCY CWE-203
A return address predictor vulnerability in certain AMD processors can lead to information disclosure. This may result in speculative execution at an attacker-controlled address, potentially causing information disclosure. ARM600 servers utilize Intel processors, but there may be ARM600 SW installations running in AMD processor environments.
CVE-2023-20569 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-20569. A base score of 5.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.37 GENERATION OF ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-209
There is a cross-process information leak in certain AMD processors, which could allow an attacker to potentially access confidential information. ARM600 servers utilize Intel processors, but there may be ARM600 SW installations running in AMD processor environments.
CVE-2023-20593 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-20593. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.38 IMPROPER AUTHENTICATION CWE-287
If a TLS server side socket is created, receives data, and then closes quickly, there's a brief window where the SSLSocket instance detects it as "not connected" and won't initiate a handshake. Buffered data remains readable but unauthenticated if client certificate authentication is expected. This data is limited to the buffer size. An unauthenticated attacker could exploit this vulnerability for revealing sensitive information from the server.
CVE-2023-40217 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-40217. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.39 IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354
Remote attackers may bypass integrity checks, causing some packets to be omitted from the extension negotiation message. Consequently, a client and server may end up with a connection where some security features have been downgraded or disabled, also known as a Terrapin attack.
CVE-2023-48795 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2023-48795. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.40 INADEQUATE ENCRYPTION STRENGTH CWE-326
TLS protocol Versions 1.1 and 1.2, and DTLS protocol Versions 1.0 and 1.2, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding. This allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks through statistical analysis of timing data for crafted packets, also known as the 'Lucky Thirteen' issue.
CVE-2013-0169 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2013-0169. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.41 IMPROPER REMOVAL OF SENSITIVE INFORMATION BEFORE STORAGE OR TRANSFER CWE-212
TLS protocol Version 1.2 and earlier can encrypt compressed data without properly obfuscating the length of the unencrypted data. This allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses where a string in an HTTP request potentially matches an unknown string in an HTTP header, also known as a 'CRIME' attack.
CVE-2012-4929 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2012-4929. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.42 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
The "ICMP Timestamp Request Remote Date Disclosure" vulnerability involves the use of ICMP (Internet control message protocol) to request and receive timestamp information from a target system.
CVE-1999-0524 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-1999-0524. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Switzerland
3.4 RESEARCHER
ABB reported these vulnerabilities to CISA.
4. MITIGATIONS
For more information, please refer to ABB's Cybersecurity Advisory 2NGA002579. It provides a comprehensive mapping of mitigation applicability in relation to each individual vulnerability listed.
ABB recommends the following mitigations:
- Obtain a cellular private access point (APN). A dedicated private cellular access point and respective SIM card subscriptions can be requested from the cellular service provider. This service doesn't expose the traffic between remote sites and the main site to the Internet but rather uses the cellular operator's private wide area network (WAN). Therefore, the ARM600 wouldn't need open ports to the Internet.
- Avoid exposing any system component to the Internet. If the ARM600 must be exposed to the Internet, only the VPN port should be opened towards the Internet (e.g., Patrol management connections can be configured to use a VPN tunnel, and remote administration connections can be implemented using an OpenVPN PC-client).
- The ARM600 system is by default not dependent on the name service (DNS). If the name service is not used in the system, the name service port (TCP/UDP Port 53) can be blocked by a firewall.
- Perform firewall configuration using the 'allowlisting' principle, explicitly allowing only the required ports and protocols and blocking all other traffic.
- Filter specific ICMP packets from external systems (ICMP type 13 and 14) using a firewall to avoid exposing the system time.
- If the Internet is used as a WAN medium for carrying VPN tunnels, use a demilitarized zone (DMZ) for terminating connections from the Internet. Remote connections should terminate in the DMZ network, which would be segregated from other networks by a firewall. The ARM600 server should be located in this DMZ.
- Change the default user credentials of ARM600 and Arctic wireless gateways into non-defaults and use complex non-guessable passwords with special characters. Do not reuse passwords within the system.
- Use administrator (i.e., root user) privileges only when required by the task.
- Supporting systems, such as PCs used for configuration, should be frequently updated. If possible, use dedicated site PCs for upgrading and engineering purposes. At a minimum, PCs should be investigated by running a full virus scan with recently updated signature files before introducing the PC to the OT system. Any data, such as device configurations and firmware update files, should be virus scanned prior to transferring to the Arctic system.
- Introduce a backup policy to ensure periodic backups and backup revision numbering. Consider the following:
a. Check that the entire system has backups available from all applicable parts.
b. Store the backups in a safe place (e.g. in an encrypted storage), restricted by role-based access control mechanisms.
c. Ensure the security of the configuration PCs that may have local copies of device configurations.
d. Validate the backups to ensure they are working.
- Follow cyber security best practices for installation, operation, and decommissioning as described in the product's cyber security deployment guideline and user manual.
- Use continuous monitoring (e.g., intrusion detection/prevention tools) to detect anomalies in the system.
- Consider hardening the system according to the following:
a. Remove any unnecessary communication links in the system.
b. If possible, close unused physical ports.
c. Open only the necessary TCP/UDP ports in the configuration.
d. Remove all unnecessary user accounts.
e. Restrict traffic by firewall.
f. Allow the traffic only from/to necessary hosts' IP addresses (i.e., define both source and destination in the firewall rules, where possible).
g. Define client IP address as allowed address in SCADA communication protocols, if such configuration is supported.
h. Remove or deactivate all unused processes, communication ports, and services where possible.
i. Use physical access controls to the system installations (e.g., to server rooms and device cabinets).
- In ARM600SW installations, avoid servers with AMD processors vulnerable to the following: CVE-2021-26401, CVE-2023-20569 and CVE-2023-20593.
- Avoid using AX88179_178A chipset-based USB-to-ethernet devices.
ABB strongly recommends the following (non-exhaustive) list of cyber security practices for any installation of software-related ABB products:
- Isolate special purpose networks (e.g., for automation systems) and remote devices behind firewalls and separate them from any general purpose network (e.g., office or home networks).
- Install physical controls to ensure no unauthorized personnel can access the devices, components, peripheral equipment, and networks.
- Never connect programming software or computers containing programming software to any network other than the network intended for the devices.
- Scan all data imported into the environment before use to detect potential malware infections.
- Minimize network exposure for all applications and endpoints to ensure they are not accessible from the Internet unless they are designed for such exposure and the intended use requires it.
- Ensure all nodes are always up to date with installed software, operating system, and firmware patches, as well as anti-virus and firewall updates.
- When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- April 15, 2025: Initial Republication of ABB 2NGA002579