CVE-2023-22339

Reference Links

• https://jvn.jp/en/vu/JVNVU96873821
• https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03
• https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf
• https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b
• https://www.cisa.gov/news-events/ics-advisories/icsa-22-347-03 (Advisory)

Parent vulnerabilities

(Appears in the following advisories)

• ICSA-22-347-03

Frequently Asked Questions

• What is CVE-2023-22339?

  CVE-2023-22339 is an improper access control vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier, allowing a remote unauthenticated attacker to bypass access restrictions and obtain the server certificate, including the private key of the product.

• How does CVE-2023-22339 impact the affected software?

  CVE-2023-22339 has a high severity rating of 7.5, indicating it is a critical vulnerability that can be exploited remotely by an attacker to bypass access restrictions and obtain sensitive information.

• What software versions are affected by CVE-2023-22339?

  CVE-2023-22339 affects CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier.

• How can an attacker exploit CVE-2023-22339?

  An attacker can exploit CVE-2023-22339 by sending specially crafted requests to the vulnerable CONPROSYS HMI System, bypassing access restrictions and obtaining the server certificate, including the private key.

• Is there a fix for CVE-2023-22339?

  Yes, it is recommended to update to a version of CONPROSYS HMI System that is not affected by the vulnerability, such as version 3.4.6 or later.