CVE-2023-23588

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-23588
A vulnerability has been identified in SIMATIC IPC1047 (All versions), SIMATIC IPC1047E (All versions with maxView Storage Manager < 4.09.00.25611 on Windows), SIMATIC IPC647D (All versions), SIMATIC IPC647E (All versions with maxView Storage Manager < 4.09.00.25611 on Windows), SIMATIC IPC847D (All versions), SIMATIC IPC847E (All versions with maxView Storage Manager < 4.09.00.25611 on Windows). The Adaptec Maxview application on affected devices is using a non-unique TLS certificate across installations to protect the communication from the local browser to the local application. A local attacker may use this key to decrypt intercepted local traffic between the browser and the application and could perform a man-in-the-middle attack in order to modify data in transit.

6.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-511182.pdf Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:siemens:simatic_ipc647d_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:siemens:simatic_ipc647d:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:siemens:simatic_ipc847d_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:siemens:simatic_ipc847d:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:siemens:simatic_ipc1047_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:siemens:simatic_ipc1047:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:a:microchip:maxview_storage_manager:*:*:*:*:*:windows:*:*
OR cpe:2.3:h:siemens:simatic_ipc1047e:-:*:*:*:*:*:*:*
cpe:2.3:h:siemens:simatic_ipc647e:-:*:*:*:*:*:*:*
cpe:2.3:h:siemens:simatic_ipc847e:-:*:*:*:*:*:*:*
History

11 Jan 2024, 14:31

Type Values Removed Values Added
First Time Microchip maxview Storage Manager
Microchip
CPE cpe:2.3:a:microsemi:maxview_storage_manager:*:*:*:*:*:windows:*:* cpe:2.3:a:microchip:maxview_storage_manager:*:*:*:*:*:windows:*:*

19 Apr 2023, 20:00

Type Values Removed Values Added
First Time Siemens simatic Ipc1047e
Siemens simatic Ipc847d
Microsemi maxview Storage Manager
Microsemi
Siemens simatic Ipc1047 Firmware
Siemens simatic Ipc647e
Siemens simatic Ipc647d
Siemens simatic Ipc1047
Siemens simatic Ipc847e
Siemens simatic Ipc647d Firmware
Siemens
Siemens simatic Ipc847d Firmware
CVSS v2 : unknown
v3 : 6.2 		v2 : unknown
v3 : 6.3
CWE CWE-200 CWE-295
References (MISC) https://cert-portal.siemens.com/productcert/pdf/ssa-511182.pdf - (MISC) https://cert-portal.siemens.com/productcert/pdf/ssa-511182.pdf - Vendor Advisory
CPE cpe:2.3:h:siemens:simatic_ipc847e:-:*:*:*:*:*:*:*
cpe:2.3:h:siemens:simatic_ipc1047e:-:*:*:*:*:*:*:*
cpe:2.3:a:microsemi:maxview_storage_manager:*:*:*:*:*:windows:*:*
cpe:2.3:o:siemens:simatic_ipc647d_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:siemens:simatic_ipc847d_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:siemens:simatic_ipc1047_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:siemens:simatic_ipc1047:-:*:*:*:*:*:*:*
cpe:2.3:h:siemens:simatic_ipc647e:-:*:*:*:*:*:*:*
cpe:2.3:h:siemens:simatic_ipc847d:-:*:*:*:*:*:*:*
cpe:2.3:h:siemens:simatic_ipc647d:-:*:*:*:*:*:*:*

11 Apr 2023, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-04-11 10:15

Updated : 2024-01-11 14:31

NVD link : CVE-2023-23588

Mitre link : CVE-2023-23588

CVE.ORG link : CVE-2023-23588

JSON object : View

Products Affected

microchip

  • maxview_storage_manager

siemens

  • simatic_ipc647d
  • simatic_ipc1047_firmware
  • simatic_ipc647d_firmware
  • simatic_ipc647e
  • simatic_ipc1047e
  • simatic_ipc847d_firmware
  • simatic_ipc847d
  • simatic_ipc847e
  • simatic_ipc1047
CWE
CWE-295

Improper Certificate Validation

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor