// For flags

CVE-2022-1669

Circutor COMPACT DC-S BASIC

Severity Score

8.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A buffer overflow vulnerability has been detected in the firewall function of the device management web portal. The device runs a CGI binary (index.cgi) to offer a management web application. Once authenticated with valid credentials in this web portal, a potential attacker could submit any "Address" value and it would be copied to a second variable with a "strcpy" vulnerable function without checking its length. Because of this, it is possible to send a long address value to overflow the process stack, controlling the function return address.

Se ha detectado una vulnerabilidad de desbordamiento de búfer en la función de firewall del portal web de administración del dispositivo. El dispositivo ejecuta un binario CGI (index.cgi) para ofrecer una aplicación web de administración. Una vez autenticado con credenciales válidas en este portal web, un potencial atacante podría enviar cualquier valor "Address" y éste sería copiado a una segunda variable con una función vulnerable "strcpy" sin comprobar su longitud. Debido a esto, es posible enviar un valor de dirección largo para desbordar la pila del proceso, controlando la dirección de retorno de la función

*Credits: Angel Garcia Moreno reported this vulnerability to CISA.
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-05-10 CVE Reserved
  • 2022-05-24 CVE Published
  • 2024-09-17 CVE Updated
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-121: Stack-based Buffer Overflow
CAPEC
References (1)
URL Tag Source
https://www.cisa.gov/uscert/ics/advisories/icsa-22-137-01 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Circutor
Search vendor "Circutor"
 Compact Dc-s Basic Firmware
Search vendor "Circutor" for product "Compact Dc-s Basic Firmware"
 1.2.17
Search vendor "Circutor" for product "Compact Dc-s Basic Firmware" and version "1.2.17"
-
Affected
in Circutor
Search vendor "Circutor"
 Compact Dc-s Basic
Search vendor "Circutor" for product "Compact Dc-s Basic"
--
Safe