Cybersecurity specialists report the detection of multiple vulnerabilities in IGSS Data Server, one of the most important solutions of the firm Schneider Electric. According to the report, successful exploitation of these vulnerabilities would allow threat actors to put affected systems at critical risk.
Below are brief descriptions of the detected flaws, in addition to their respective tracking keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2022-24313: A boundary error within the IGSSDataServer process would allow unauthenticated remote threat actors to trigger a stack-based buffer overflow and execute arbitrary code on vulnerable systems.
This is a highly severe vulnerability and received a CVSS score of 8.5/10.
CVE-2022-24314: A boundary condition within IGSSdataServer.exe would allow remote threat actors to send a specially crafted message, trigger an out-of-bounds read error, and cause a denial-of-service (DoS) condition.
The vulnerability received a CVSS score of 6.7/10.
CVE-2022-24310: An integer overflow within IGSSdataServer.exe would allow remote hackers to send specially crafted messages to trigger arbitrary code execution on the affected system.
This is a highly severe vulnerability and received a CVSS score of 8.8/10.
CVE-2022-24317: The absence of authorization within the IGSSDataServer process would allow remote threat actors to send a specially crafted message to the affected system and expose the stored information.
This is a medium severity error and received a CVSS score of 4.6/10.
CVE-2022-24315: A boundary error within the IGSSDataServer process would have allowed remote attackers to send a specially crafted message to trigger an out-of-bounds read error and lead to a DoS condition.
This is a flaw of medium severity and received a CVSS score of 6.5/10.
CVE-2022-24311: An input validation error when processing directory crossstreams within the IGSSDataServer process would allow remote attackers to cause modification of an existing file by inserting it to the beginning of the file or creating a new file in the context of the data server.
The vulnerability received a CVSS score of 6.5/10.
CVE-2022-24312: An input validation error when processing directory crossstreams within the IGSSDataServer process would allow threat actors to cause modification of an existing file by adding to the end of the file or creating a new file in the context of Data Server.
The flaw received a CVSS score of 6.5/10.
CVE-2022-24316: Incorrect initialization within the IGSSDataServer process would allow remote attackers to send a specially crafted message and expose the stored information.
The flaw received a CVSS score of 4.6/10.
According to the report, the flaws reside in Schneider Electric IGSS Data Server v15.0.0.22020.
Despite the fact that flaws can be exploited remotely by hackers without authentication, specialists have not detected active exploitation attempts. Still, specialists recommend users of affected deployments to correct as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
