Products
H2-DM1E PLC
Source
ics-cert@hq.dhs.gov
Tags
CVE-2024-45368 details
Published : Sept. 13, 2024, 5:15 p.m.
Last Modified : Sept. 13, 2024, 5:15 p.m.
Last Modified : Sept. 13, 2024, 5:15 p.m.
Description
The H2-DM1E PLC's authentication protocol appears to utilize either a custom encoding scheme or a challenge-response protocol. However, there's an observed anomaly in the H2-DM1E PLC's protocol execution, namely its acceptance of multiple distinct packets as valid authentication responses. This behavior deviates from standard security practices where a single, specific response or encoding pattern is expected for successful authentication.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8.8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-384 | Session Fixation | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
CVSS Data
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
8.8
Exploitability Score
2.8
Impact Score
5.9
Base Severity
HIGH
Vector String : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
| URL | Source |
|---|---|
| https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-17 | ics-cert@hq.dhs.gov |
This website uses the NVD API, but is not approved or certified by it.