CVE-2022-2474

Authentication is currently unsupported in Haas Controller version 100.20.000.1110 when using the “Ethernet Q Commands” service, which allows any user on the same network segment as the controller (even while connected remotely) to access the service and write unauthorized macros to the device.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:haascnc:haas_controller_firmware:100.20.000.1110:*:*:*:*:*:*:*

cpe:2.3:h:haascnc:haas_controller:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-10-28 18:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-2474

Mitre link : CVE-2022-2474

CVE.ORG link : CVE-2022-2474

JSON object : View

Products Affected

haascnc

haas_controller
haas_controller_firmware

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2022-2474", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-10-28T18:15:11.337", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Authentication is currently unsupported in Haas Controller version 100.20.000.1110 when using the \u201cEthernet Q Commands\u201d service, which allows any user on the same network segment as the controller (even while connected remotely) to access the service and write unauthorized macros to the device."}, {"lang": "es", "value": "Actualmente, la autenticaci\u00f3n no es compatible con la versi\u00f3n 100.20.000.1110 de Haas Controller cuando se utiliza el servicio \u201cEthernet Q Commands\u201d, que permite a cualquier usuario en el mismo segmento de red que el controlador (incluso mientras est\u00e1 conectado de forma remota) acceder al servicio y escribir macros no autorizadas en el dispositivo."}], "lastModified": "2022-11-02T15:44:00.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:haascnc:haas_controller_firmware:100.20.000.1110:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DC9BA96-106A-4C7D-A89E-C2DE29429386"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:haascnc:haas_controller:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C6C8F5BC-97B7-4EDC-AF26-3F6971537DC9"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}