1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: UNEM
- Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Argument Injection, Heap-based Buffer Overflow, Improper Certificate Validation, Use of Hard-coded Password, Improper Restriction of Excessive Authentication Attempts, Cleartext Storage of Sensitive Information, Incorrect User Management
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to cause a denial of service, execute unintended commands, access sensitive information, or execute arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports that the following products are affected:
- UNEM: Versions R15A and prior
- UNEM: R15B (CVE-2024-28022, CVE-2024-28024, CVE-2024-28020)
- UNEM: R15B PC4 (CVE-2024-2013, CVE-2024-2012, CVE-2024-2011, CVE-2024-28021, CVE-2024-28023)
- UNEM: R16A
- UNEM: R16B (CVE-2024-28022, CVE-2024-28024, CVE-2024-28020)
- UNEM: R16B PC2 (CVE-2024-2013, CVE-2024-2012, CVE-2024-2011, CVE-2024-28021, CVE-2024-28023)
3.2 Vulnerability Overview
3.2.1 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288
An authentication bypass vulnerability exists in the UNEM server / APIGateway component that if exploited allows unauthenticated malicious users to interact with the services and the post-authentication attack surface.
CVE-2024-2013 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA Advisories
Read the original article: