8.8
CWE
20
Advisory Published
Updated

CVE-2022-3388: Input Validation Vulnerability in Hitachi Energy’s MicroSCADA Pro/X SYS600 Products

First published: Mon Nov 21 2022(Updated: )

An input validation vulnerability exists in the Monitor Pro interface of MicroSCADA Pro and MicroSCADA X SYS600. An authenticated user can launch an administrator level remote code execution irrespective of the authenticated user's role.

Credit: cybersecurity@hitachienergy.com cybersecurity@hitachienergy.com

Affected SoftwareAffected VersionHow to fix
Hitachienergy Microscada Pro Sys600=9.0
Hitachienergy Microscada Pro Sys600=9.1
Hitachienergy Microscada Pro Sys600=9.2
Hitachienergy Microscada Pro Sys600=9.3
Hitachienergy Microscada Pro Sys600=9.4
Hitachienergy Microscada X Sys600=10
Hitachienergy Microscada X Sys600=10.1
Hitachienergy Microscada X Sys600=10.1.1
Hitachienergy Microscada X Sys600=10.2
Hitachienergy Microscada X Sys600=10.2.1
Hitachienergy Microscada X Sys600=10.3
Hitachienergy Microscada X Sys600=10.3.1
Hitachienergy Microscada X Sys600=10.4

Remedy

For SYS600 9.x: update to at SYS600 version SYS600 9.4 FP2 Hotfix 5 when it is released or upgrade to at least SYS600 version 10.4.1. A requirement to install SYS600 9.4 FP2 Hotfix 5 is to have at least the SYS600 9.4 FP2 Hotfix 4 installed. CPE:  cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.0:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.1:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.2:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.3:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:*:*:*:*:*:*:*

Remedy

For SYS600 10.x update to at least SYS600 version 10.4.1 Or apply general mitigation factors. CPE:  cpe:2.3:a:hitachienergy:microscada_x_sys600:10:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.1:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.1.1:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.2.1:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.3.1:*:*:*:*:*:*:* cpe:2.3:a:hitachienergy:microscada_x_sys600:10.4:*:*:*:*:*:*:*

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2022-3388?

    CVE-2022-3388 is an input validation vulnerability in the Monitor Pro interface of MicroSCADA Pro and MicroSCADA X SYS600.

  • How severe is CVE-2022-3388?

    CVE-2022-3388 has a severity rating of 7.8 (high).

  • Which software versions are affected by CVE-2022-3388?

    MicroSCADA Pro versions 9.0 to 9.4 and MicroSCADA X SYS600 versions 10 to 10.4 are affected by CVE-2022-3388.

  • How can an authenticated user exploit CVE-2022-3388?

    An authenticated user can launch an administrator level remote code execution regardless of their role.

  • Where can I find more information about CVE-2022-3388?

    You can find more information about CVE-2022-3388 at the following link: [https://search.abb.com/library/Download.aspx?DocumentID=8DBD000123&LanguageCode=en&DocumentPartId=&Action=Launch&elqaid=4293&elqat=1](https://search.abb.com/library/Download.aspx?DocumentID=8DBD000123&LanguageCode=en&DocumentPartId=&Action=Launch&elqaid=4293&elqat=1)

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203