VDE-2022-059

Vulnerability from csaf_himapaulhildebrandtgmbh - Published: 2023-01-16 09:00 - Updated: 2025-05-22 13:03
Summary
HIMA: unquoted path vulnerabilities in X-OPC and X-OTS
Notes
Summary: Unquoted Windows search path vulnerability in the below mentioned Software for Windows might allow local users to gain privileges via a malicious .exe file.
Impact: The vulnerability can be used to run a malicious file with administrator privileges while being logged in as a normal user. Therefore, any action which is not restricted by other measures could be taken. Due to the security manual HIMA recommends to run the OPC Server and the programming environment on different PCs. The OPC can only influence the data defined in the project. It does not have the ability to change the project. For this reason HIMA estimates the influence of the OPC Server on the program of the safety PLC (Programmable Logic Controller) as unlikely.
Mitigation: Ensure that Registry can only be accessed with administrator privileges. HOPCS: Install in a path without spaces and/or select a user with low privileges in the DCOM settings dcomcnfg/Identity. When using X-OPC or X-OTS it is recommended to protect the user program, with the system variables (see Automation Security Manual '3.2.2.2 Access Restrictions'): - Forcing Deactivation - Read-only in RUN - Reload Deactivation
Remediation: All present products will be fixed. Updates are under development.Note: HOPCS is not suitable for present HIMA Products and is not planned to be fixed.
CVE-2022-4258

In multiple versions of HIMA PC based Software an unquoted Windows search path vulnerability might allow local users to gain privileges via a malicious .exe file and gain full access to the system.

7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-428 - Unquoted Search Path or Element
Mitigation Ensure that Registry can only be accessed with administrator privileges. HOPCS: Install in a path without spaces and/or select a user with low privileges in the DCOM settings dcomcnfg/Identity. When using X-OPC or X-OTS it is recommended to protect the user program, with the system variables (see Automation Security Manual '3.2.2.2 Access Restrictions'): - Forcing Deactivation - Read-only in RUN - Reload Deactivation
No Fix Planned All present products will be fixed. Updates are under development.Note: HOPCS is not suitable for present HIMA Products and is not planned to be fixed.
References
Acknowledgments
CERT@VDE certvde.com
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "Unquoted Windows search path vulnerability in the below mentioned Software for Windows might allow local users to gain privileges via a malicious .exe file.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The vulnerability can be used to run a malicious file with administrator privileges while being logged in as a normal user. Therefore, any action which is not restricted by other measures could be taken.\n\nDue to the security manual HIMA recommends to run the OPC Server and the programming environment on different PCs.\n\nThe OPC can only influence the data defined in the project. It does not have the ability to change the project. For this reason HIMA estimates the influence of the OPC Server on the program of the safety PLC (Programmable Logic Controller) as unlikely.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Ensure that Registry can only be accessed with administrator privileges.\nHOPCS: Install in a path without spaces and/or select a user with low privileges in the DCOM settings dcomcnfg/Identity.\nWhen using X-OPC or X-OTS it is recommended to protect the user program, with the system variables (see Automation Security Manual \u00273.2.2.2 Access Restrictions\u0027):\n\n- Forcing Deactivation\n- Read-only in RUN\n- Reload Deactivation",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "All present products will be fixed. Updates are under development.Note: HOPCS is not suitable for present HIMA Products and is not planned to be fixed.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "hima-cert@hima.com",
      "name": "HIMA Paul Hildebrandt GmbH",
      "namespace": "https://www.hima.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "VDE-2022-059: HIMA: unquoted path vulnerabilities in X-OPC and X-OTS - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2022-059/"
      },
      {
        "category": "self",
        "summary": "VDE-2022-059: HIMA: unquoted path vulnerabilities in X-OPC and X-OTS - CSAF",
        "url": "https://hima.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2022-059.json"
      },
      {
        "category": "external",
        "summary": "Vendor PSIRT",
        "url": "https://www.hima.com"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for HIMA Paul Hildebrandt GmbH",
        "url": "https://certvde.com/en/advisories/vendor/hima/"
      }
    ],
    "title": "HIMA: unquoted path vulnerabilities in X-OPC and X-OTS",
    "tracking": {
      "aliases": [
        "VDE-2022-059"
      ],
      "current_release_date": "2025-05-22T13:03:10.000Z",
      "generator": {
        "date": "2025-05-05T09:01:00.460Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.24"
        }
      },
      "id": "VDE-2022-059",
      "initial_release_date": "2023-01-16T09:00:00.000Z",
      "revision_history": [
        {
          "date": "2023-01-16T09:00:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        },
        {
          "date": "2025-05-22T13:03:10.000Z",
          "number": "2",
          "summary": "Fix: quotation mark"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "HOPCS",
                "product": {
                  "name": "HOPCS",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "892042400"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "X-OPC A+E",
                "product": {
                  "name": "X-OPC A+E",
                  "product_id": "CSAFPID-11002",
                  "product_identification_helper": {
                    "model_numbers": [
                      "894000016"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "X-OPC DA",
                "product": {
                  "name": "X-OPC DA",
                  "product_id": "CSAFPID-11003",
                  "product_identification_helper": {
                    "model_numbers": [
                      "894000015"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "X-OTS",
                "product": {
                  "name": "X-OTS",
                  "product_id": "CSAFPID-11004",
                  "product_identification_helper": {
                    "model_numbers": [
                      "895900001"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=3.56.4",
                "product": {
                  "name": "Firmware \u003c=3.56.4",
                  "product_id": "CSAFPID-21001"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=5.6.1210",
                "product": {
                  "name": "Firmware \u003c=5.6.1210",
                  "product_id": "CSAFPID-21002"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=1.32.550",
                "product": {
                  "name": "Firmware \u003c=1.32.550",
                  "product_id": "CSAFPID-21003"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "Hima"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ],
        "summary": "Affected products."
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=3.56.4 installed on HOPCS",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=5.6.1210 installed on X-OPC A+E",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21002",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=5.6.1210 installed on X-OPC DA",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21002",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=1.32.550 installed on X-OTS",
          "product_id": "CSAFPID-31004"
        },
        "product_reference": "CSAFPID-21003",
        "relates_to_product_reference": "CSAFPID-11004"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-4258",
      "cwe": {
        "id": "CWE-428",
        "name": "Unquoted Search Path or Element"
      },
      "notes": [
        {
          "category": "description",
          "text": "In multiple versions of HIMA PC based Software an unquoted Windows search path vulnerability\u00a0might allow local users to gain privileges via a malicious .exe file and gain full access to the system.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Ensure that Registry can only be accessed with administrator privileges.\nHOPCS: Install in a path without spaces and/or select a user with low privileges in the DCOM settings dcomcnfg/Identity.\nWhen using X-OPC or X-OTS it is recommended to protect the user program, with the system variables (see Automation Security Manual \u00273.2.2.2 Access Restrictions\u0027):\n\n- Forcing Deactivation\n- Read-only in RUN\n- Reload Deactivation",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "no_fix_planned",
          "details": "All present products will be fixed. Updates are under development.Note: HOPCS is not suitable for present HIMA Products and is not planned to be fixed.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "CVE-2022-4258"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.