CVE-2022-41775 In Delta Electronics DIAEnergie v1.9.02.001 and earlier, SQL Injection is possible via Network.

Injection in the Handler_CFG.ashx web application. A remote attacker can leverage this vulnerability to execute arbitrary SQL queries, which may expose confidential information within the application or may be exploited to send email messages or make other unwanted requests to the application. Delta Electronics DIAEnergie is aware of this issue and has released an updated version. Delta Electronics DIAEnergie versions v1.9.02.001 and later have been patched. In order to ensure that all users are updated, we recommend that all Delta Electronics DIAEnergie customers upgrade their systems to the latest version. An upgrade to the latest version is available here: https://diae.deltaelectronics.com/updates/ In order to determine if this vulnerability has affected your system, you can run the provided query against the network_control database and view the results.

Overview of the vulnerability

Delta Electronics DIAEnergie has released an updated version of their web application to patch a vulnerability that would have allowed a remote attacker to execute arbitrary SQL commands. The vulnerability lies in the web application’s use of HTTP cookies and is specifically related to the Handler_CFG.ashx web application. A remote attacker could leverage this vulnerability to send email messages or make unwanted requests to the web application, which could expose confidential information within the system or be exploited for other means.
Delta Electronics DIAEnergie is aware of this issue and has released an updated version of their application. Delta Electronics DIAEnergie versions v1.9.02.001 and later have been patched as a result of this defect; we recommend that all Delta Electronics DIAEnergie customers upgrade their systems to the latest version available via https://diae.deltaelectronics.com/updates/

Delta Electronics DIAEnergie - Technical Details

Delta Electronics DIAEnergie (versions v1.9.02.001 and later) has been patched for CVE-2022-41775: Injection in the Handler_CFG.ashx web application.
The vulnerability was discovered by a member of Delta Electronics DIAEnergie’s Research and Development department and addressed with a new Web Application Firewall rule to detect malicious requests before they reach the Handler_CFG.ashx web application.

Timeline

Published on: 11/17/2022 23:15:00 UTC
Last modified on: 11/18/2022 18:50:00 UTC

References

• https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41775