CVE-2023-22334
published 2023-01-20CVE-2023-22334: Use of password hash instead of password for authentication vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated…
PriorityP430medium5.3CVSS 3.1
AVNACHPRLUINSUCHINAN
EPSS
0.88%
54.5th percentile
Use of password hash instead of password for authentication vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to obtain user credentials information via a man-in-the-middle attack.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| contec | conprosys_hmi_system | <= 3.4.5 | — |
| contec_co_ltd | conprosys_hmi_system | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4h9q-9r2g-27j5: Use of password hash instead of password for authentication vulnerability in CONPROSYS HMI System (CHS) Ver
ghsa_unreviewed·2023-01-20
CVE-2023-22334 [MEDIUM] CWE-287 GHSA-4h9q-9r2g-27j5: Use of password hash instead of password for authentication vulnerability in CONPROSYS HMI System (CHS) Ver
Use of password hash instead of password for authentication vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to obtain user credentials information via a man-in-the-middle attack.
CISA ICS
Contec CONPROSYS HMI System (CHS) Update A
cisa_ics·2022-12-13·CVSS 9.8
[CRITICAL] Contec CONPROSYS HMI System (CHS) Update A
ICS Advisory
##
Contec CONPROSYS HMI System (CHS) Update A
Last RevisedJanuary 19, 2023
Alert CodeICSA-22-347-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Contec
- Equipment: CONPROSYS HMI System (CHS)
--------- Begin Update A part 1 of 5 ---------
- Vulnerability: OS Command Injection, Use of Default Credentials, Use of Password Hash Instead of Password for Authentication, Cross-site Scripting, Improper Access Control
--------- End Update A part 1 of 5 ---------
## 2. UPDATE OR REPOSTED INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-22-347-03 Contec CONPROSYS HMI System (CHS) that was published December 13, 2022, on the ICS webpage on cisa.gov/ics.
## 3
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://jvn.jp/en/vu/JVNVU96873821https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdfhttps://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90bhttps://jvn.jp/en/vu/JVNVU96873821https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdfhttps://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b
2023-01-20
Published