CVE-2023-1514

Severity CVSS v4.0:

Pending analysis

Type:

CWE-295 Improper Certificate Validation

Publication date:

19/12/2023

Last modified:

28/12/2023

Description

A vulnerability exists in the component RTU500 Scripting interface. When a client connects to a server using TLS, the server presents a certificate. This certificate links a public key to the identity of the service and is signed by a Certification Authority (CA), allowing the client to validate that the remote service can be trusted and is not malicious. If the client does not validate the parameters of the certificate, then attackers could be able to spoof the identity of the service. An attacker could exploit the vulnerability by using faking the identity of a RTU500 device and intercepting the messages initiated via the RTU500 Scripting interface.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS v3.1 Severity and Metrics:

Base Score: 7.50 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): High
Availability (A): None

Base Score 3.x

7.50

Severity 3.x

HIGH

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:hitachienergy:rtu500_scripting_interface:1.0.1.30:::::::*
cpe:2.3:a:hitachienergy:rtu500_scripting_interface:1.0.2:::::::*
cpe:2.3:a:hitachienergy:rtu500_scripting_interface:1.1.1:::::::*

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://publisher.hitachienergy.com/preview?DocumentId=8DBD000152&languageCode=en&Preview=true