CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
55.2%
A vulnerability exists in the OpenSSL that affects the RTU500 Series product versions listed below.
RTU500 series CMU Firmware versions 12.0.1 – 12.0.15 12.2.1 – 12.2.12 12.4.1 – 12.4.12 12.6.1 – 12.6.9 12.7.1 – 12.7.6 13.2.1 – 13.2.6 13.3.1 – 13.3.3 13.4.2
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(501743);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/04");
script_cve_id("CVE-2022-4304");
script_xref(name:"ICSA", value:"23-143-02");
script_name(english:"ABB RTU500 Series OpenSSL Bleichenbacher Style Attack (CVE-2022-4304)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"A vulnerability exists in the OpenSSL that affects
the RTU500 Series product versions listed below.
RTU500 series CMU Firmware versions
12.0.1 â 12.0.15
12.2.1 â 12.2.12
12.4.1 â 12.4.12
12.6.1 â 12.6.9
12.7.1 â 12.7.6
13.2.1 â 13.2.6
13.3.1 â 13.3.3
13.4.2
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large
number of trial messages for decryption. The vulnerability affects all
RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a
TLS connection, RSA is commonly used by a client to send an encrypted
pre-master secret to the server. An attacker that had observed a
genuine connection between a client and a server could use this flaw
to send trial messages to the server and record the time taken to
process them. After a sufficiently large number of messages the
attacker could recover the pre-master secret used for the original
connection and thus be able to decrypt the application data sent over
that connection.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20230207.txt");
script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-23-143-02");
# https://publisher.hitachienergy.com/preview?DocumentID=8DBD000150&LanguageCode=en&DocumentPartId=&Action=Launch
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3ca25a8b");
script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-4304");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(203);
script_set_attribute(attribute:"vuln_publication_date", value:"2023/02/08");
script_set_attribute(attribute:"patch_publication_date", value:"2023/02/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/29");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:hitachienergy:rtu500_firmware");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/ABB");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/ABB');
var asset = tenable_ot::assets::get(vendor:'ABB');
var vuln_cpes = {
"cpe:/o:hitachienergy:rtu500_firmware:12.0" :
{"versionEndIncluding" : "12.0.15", "versionStartIncluding" : "12.0.1", "family" : "AbbRTU500"},
"cpe:/o:hitachienergy:rtu500_firmware:12.2" :
{"versionEndIncluding" : "12.2.12", "versionStartIncluding" : "12.2.1", "family" : "AbbRTU500"},
"cpe:/o:hitachienergy:rtu500_firmware:12.4" :
{"versionEndIncluding" : "12.4.12", "versionStartIncluding" : "12.4.1", "family" : "AbbRTU500"},
"cpe:/o:hitachienergy:rtu500_firmware:12.6" :
{"versionEndIncluding" : "12.6.9", "versionStartIncluding" : "12.6.1", "family" : "AbbRTU500"},
"cpe:/o:hitachienergy:rtu500_firmware:12.7" :
{"versionEndIncluding" : "12.7.6", "versionStartIncluding" : "12.7.1", "family" : "AbbRTU500"},
"cpe:/o:hitachienergy:rtu500_firmware:13.2" :
{"versionEndIncluding" : "13.2.6", "versionStartIncluding" : "13.2.1", "family" : "AbbRTU500"},
"cpe:/o:hitachienergy:rtu500_firmware:13.3" :
{"versionEndIncluding" : "13.3.4", "versionStartIncluding" : "13.3.1", "family" : "AbbRTU500"},
"cpe:/o:hitachienergy:rtu500_firmware:13.4.1" :
{"versionEndIncluding" : "13.4.2", "versionStartIncluding" : "13.4.2", "family" : "AbbRTU500"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
55.2%