CVE-2023-32170

Unified Automation UaGateway OPC UA Server Improper Input Validation Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation UaGateway. User interaction is required to exploit this vulnerability in that the target must choose to accept a client certificate. The specific flaw exists within the processing of client certificates. The issue results from the lack of proper validation of certificate data. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-20494.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt
https://www.zerodayinitiative.com/advisories/ZDI-23-775/
https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt
https://www.zerodayinitiative.com/advisories/ZDI-23-775/

Configurations

No configuration.

History

21 Nov 2024, 08:02

Type	Values Removed	Values Added
References	~~() https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt -~~	() https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt -
References	~~() https://www.zerodayinitiative.com/advisories/ZDI-23-775/ -~~	() https://www.zerodayinitiative.com/advisories/ZDI-23-775/ -
Summary		(es) Vulnerabilidad de denegación de servicio de validación de entrada incorrecta del servidor UaGateway OPC UA de Unified Automation. Esta vulnerabilidad permite a atacantes remotos crear una condición de denegación de servicio en las instalaciones afectadas de Unified Automation UaGateway. Se requiere la interacción del usuario para aprovechar esta vulnerabilidad, ya que el objetivo debe elegir aceptar un certificado de cliente. La falla específica existe en el procesamiento de certificados de clientes. El problema se debe a la falta de validación adecuada de los datos del certificado. Un atacante puede aprovechar esta vulnerabilidad para crear una condición de denegación de servicio en el sistema. Era ZDI-CAN-20494.

03 May 2024, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-03 02:15

Updated : 2024-11-21 08:02

NVD link : CVE-2023-32170

Mitre link : CVE-2023-32170

CVE.ORG link : CVE-2023-32170

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

6.5 /10