CVE-2023-22339
published 2023-01-20CVE-2023-22339: Improper access control vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to bypass access restriction…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.14%
62.5th percentile
Improper access control vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to bypass access restriction and obtain the server certificate including the private key of the product.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| contec | conprosys_hmi_system | <= 3.4.5 | — |
| contec_co_ltd | conprosys_hmi_system | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r659-h3gg-4vrp: Improper access control vulnerability in CONPROSYS HMI System (CHS) Ver
ghsa_unreviewed·2023-01-20
CVE-2023-22339 [HIGH] CWE-284 GHSA-r659-h3gg-4vrp: Improper access control vulnerability in CONPROSYS HMI System (CHS) Ver
Improper access control vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to bypass access restriction and obtain the server certificate including the private key of the product.
CISA ICS
Contec CONPROSYS HMI System (CHS) Update A
cisa_ics·2022-12-13·CVSS 9.8
[CRITICAL] Contec CONPROSYS HMI System (CHS) Update A
ICS Advisory
##
Contec CONPROSYS HMI System (CHS) Update A
Last RevisedJanuary 19, 2023
Alert CodeICSA-22-347-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Contec
- Equipment: CONPROSYS HMI System (CHS)
--------- Begin Update A part 1 of 5 ---------
- Vulnerability: OS Command Injection, Use of Default Credentials, Use of Password Hash Instead of Password for Authentication, Cross-site Scripting, Improper Access Control
--------- End Update A part 1 of 5 ---------
## 2. UPDATE OR REPOSTED INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-22-347-03 Contec CONPROSYS HMI System (CHS) that was published December 13, 2022, on the ICS webpage on cisa.gov/ics.
## 3
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://jvn.jp/en/vu/JVNVU96873821https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdfhttps://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90bhttps://jvn.jp/en/vu/JVNVU96873821https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdfhttps://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b
2023-01-20
Published