Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-2789PUBLISHED: 2022-08-19Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulnerable to CWE-345 Insufficient Verification of Data Authenticity, and can display logic that is different than the compiled logic.
CVE-2022-2790PUBLISHED: 2022-08-19Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-347 Improper Verification of Cryptographic Signature, and does not properly verify compiled logic (PDT files) and data blocks data (BLD/BLK files).
CVE-2022-2792PUBLISHED: 2022-08-19Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-284 Improper Access Control, and stores project data in a directory with improper access control lists.
CVE-2022-2793PUBLISHED: 2022-08-19Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-353 Missing Support for Integrity Check, and has no authentication or authorization of data packets after establishing a connection for the SRTP protocol.
CVE-2022-35554PUBLISHED: 2022-08-19Multiple reflected XSS vulnerabilities occur when handling error message of BPC SmartVista version 3.28.0 allowing an attacker to execute javascript code at client side.
User Rank: Author
1/8/2015 | 3:23:31 PM
I probably did sound contradictary in the comments you highlighted. Great catch. I did not do a good job in defining where I am talking about threat and where i am talking about data/applications.
In the first reference, I was referring to Data and Applications. In other words, you cannot protect all of your data and applications, you should aggressively segement and control access to your company crown jewels.
In the second reference, I am referring to threat. I am trying to coach CISO's and business owners to assume you are a target. Too many companies, like CodeSpaces, probably believe they are not a target because they do not have something of value to criminals (i.e. Credit card data, Electronic Health Records). Even in this case, these companies should still NOT try to protect their whole environment, especially if it is very complex or dynamic. They should still identify the company crown jewels and aggressively segement. In the use case of CodeSpaces, they might have been saved by 2 factor auth for their admin access to their cloud envrionment.
Hopefully that clears up the confusion, thanks for asking for clarification.