CVE-2024-3980

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)

Published: Aug 27, 2024 / Updated: 2mo ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

The product allows user input to control or influence paths or file names that are used in filesystem operations, allowing the attacker to access or modify system files or other files that are critical to the application. This vulnerability is associated with CWE-88, which relates to improper neutralization of argument delimiters in a command ('Argument Injection').

Impact

The impact of this vulnerability is severe, with a CVSS v3.1 base score of 8.8 (High). It affects confidentiality, integrity, and availability, all rated as HIGH. The attack vector is NETWORK, requiring LOW attack complexity and LOW privileges, with NO user interaction needed. This means an attacker with network access and low-level privileges could potentially gain unauthorized access to critical system files, modify them, or disrupt system operations. The scope is UNCHANGED, indicating the vulnerable component and the impacted component are the same.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Hitachi Energy has released a security update to address this vulnerability. The patch information can be found at https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageCode=en&DocumentPartId=&Action=Launch.

Mitigation

To mitigate this vulnerability, it is strongly recommended to update the affected product, MicroSCADA X SYS600, to a version newer than 10.6. Given the high severity and potential for significant impact, this update should be prioritized. In the interim, if immediate patching is not possible, consider implementing additional access controls, input validation, and monitoring mechanisms to detect and prevent potential exploitation attempts. Limit network access to the affected systems where possible, and ensure that user privileges are kept to the minimum necessary for operation.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-3980. See article

Aug 27, 2024 at 1:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 27, 2024 at 1:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.5%)

Aug 28, 2024 at 9:30 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Aug 28, 2024 at 4:35 PM / nvd
Threat Intelligence Report

The vulnerability CVE-2024-3980 in Hitachi Energy MicroSCADA X SYS600 with a CVSS score of 9.8 allows attackers to manipulate file paths, potentially leading to unauthorized access or modification of critical files. This vulnerability poses a high risk of exploitation in the wild, with proof-of-concept exploits likely to emerge. Mitigations, detections, and patches should be implemented promptly to prevent downstream impacts on other third-party vendors or technologies. See article

Aug 30, 2024 at 1:32 AM
Static CVE Timeline Graph

Affected Systems

Hitachienergy/microscada_x_sys600
+null more

Patches

publisher.hitachienergy.com
+null more

Attack Patterns

CAPEC-137: Parameter Injection
+null more

References

@RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 34 - SANS Institute
Product: GiveWP Active Installations: 100,000+ CVSS Score: 9.8 NVD: NVD References: NVD References: - - CVE-2024-7946 - Itsourcecode Online Blood Bank Management System 1.0 is vulnerable to a critical sql injection in the User Signup component's register.php file, allowing for remote attacks. Product: Adonesevangelista Online Blood Bank Management System CVSS Score: 9.8 NVD: NVD References: - - - - CVE-2024-7947 - SourceCodester Point of Sales and Inventory Management System 1.0 is vulnerable to sql injection in the file login.php through manipulation of the email argument, allowing for remote attacks due to a critical vulnerability that has been publicly disclosed.

News

US-CERT Vulnerability Summary for the Week of August 26, 2024
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links.
Vulnerability Summary for the Week of August 26, 2024
Vulnerability Summary for the Week of August 26, 2024 bjackson Sep 03, 2024 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info Adobe--Acrobat Reader Acrobat Reader versions 127.0.2651.105 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-08-26 7.8 CVE-2024-41879 psirt@adobe.com aertherwide -- exiftags Buffer Overflow vulnerability in open source exiftags v.1.01 allows a local attacker to execute arbitrary code via the paresetag function. 2024-08-27 7.8 CVE-2024-42851 cve@mitre.org angeljudesuarez -- tailoring_management_system A vulnerability classified as critical was found in itsourcecode Tailoring Management System 1.0. This vulnerability affects unknown code of the file staffcatedit.php. The manipulation of the argument title leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 2024-08-26 9.8 CVE-2024-8171 cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com cna@vuldb.com angeljudesuarez -- tailoring_management_system A vulnerability was found in itsourcecode Tailoring Management System 1.0. It has been declared as critical.
@RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 34 - SANS Institute
Product: GiveWP Active Installations: 100,000+ CVSS Score: 9.8 NVD: NVD References: NVD References: - - CVE-2024-7946 - Itsourcecode Online Blood Bank Management System 1.0 is vulnerable to a critical sql injection in the User Signup component's register.php file, allowing for remote attacks. Product: Adonesevangelista Online Blood Bank Management System CVSS Score: 9.8 NVD: NVD References: - - - - CVE-2024-7947 - SourceCodester Point of Sales and Inventory Management System 1.0 is vulnerable to sql injection in the file login.php through manipulation of the email argument, allowing for remote attacks due to a critical vulnerability that has been publicly disclosed.
Hitachi reports critical flaws in its MicroSCADA X SYS600, urges patching
Hitachi Energy has reported multiple high to critical severity vulnerabilities in its MicroSCADA X SYS600 product, which is widely used for monitoring and controlling utility power systems. CVE-2024-4872 (CVSS score 9.9) : This critical vulnerability involves SQL injection due to improper validation of user queries, allowing attackers to execute unauthorized commands.
Hitachi Energy Vulnerabilities Plague SCADA Power Systems
Hitachi Energy is urging customers of its MicroSCADA X SYS600 product for monitoring and controlling utility power systems to immediately upgrade to a newly released version to mitigate multiple critical and high-severity vulnerabilities. However, to pull it off an attacker would need to have local access to a machine where a vulnerable instance of MicroSCADA X SYS600 is installed, and enable session logging, Hitachi said.
See 12 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI