CVE-2022-2758
Severity CVSS v4.0:
Pending analysis
Type:
CWE-326
Inadequate Encryption Strength
Publication date:
31/08/2022
Last modified:
14/11/2022
Description
Passwords are not adequately encrypted during the communication process between all versions of LS Industrial Systems (LSIS) Co. Ltd LS Electric XG5000 software prior to V4.0 and LS Electric PLCs: all versions of XGK-CPUU/H/A/S/E prior to V3.50, all versions of XGI-CPUU/UD/H/S/E prior to V3.20, all versions of XGR-CPUH prior to V1.80, all versions of XGB-XBMS prior to V3.00, all versions of XGB-XBCH prior to V1.90, and all versions of XGB-XECH prior to V1.30. This would allow an attacker to identify and decrypt the password of the affected PLCs by sniffing the PLC’s communication traffic.
Impact
Base Score 3.x
5.90
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:ls-electric:xg5000:*:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ls-electric:xgk-cpuun_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:ls-electric:xgk-cpuun:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ls-electric:xgk-cpuhn_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:ls-electric:xgk-cpuhn:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ls-electric:xgk-cpusn_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:ls-electric:xgk-cpusn:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ls-electric:xgk-cpuu_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:ls-electric:xgk-cpuu:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ls-electric:xgk-cpuh_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:ls-electric:xgk-cpuh:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ls-electric:xgk-cpua_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:ls-electric:xgk-cpua:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:ls-electric:xgk-cpus_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:ls-electric:xgk-cpus:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page