SUMMARY

The following vulnerability were found in Microchip Technology (Microsemi) SyncServer S650.

CVE-2022-40022

Microchip Technology (Microsemi) SyncServer S650 contains a command injection vulnerability in the web management interface of the SyncServer software on versions before 2.2.

IMPACT

Access Vector:Network Exploitable
Access Complexity:Low
Authentication:Required to exploit
Impact Type:Allows remote code execution, Allows disruption of service
Privilege Level:root

AFFECTED PRODUCTS

Microchip Technology (Microsemi) SyncServer S650

SOFTWARE FIXES

The Microchip Technology (Microsemi) SyncServer S650 is a now an unsupported product. Products using the SyncServer software version 2.2 and above do not contain the vulnerability.

It is recommended that you block access to the web management ports on devices outside the support window and running SyncServer before version 2.2.

TIMELINE

8.31.2022

Notify vendor of vulnerability

9.2.2022

Vendor acknowledges vulnerability

9.22.2022

CVE assigned by MITRE

10.11.2022

Vendor reminded of public disclosure

2.10.2023

Public disclosure

REFERENCES

https://www.microsemi.com/document-portal/doc_download/135737-datasheet-syncserver-s650
https://www.microsemi.com/campaigns/network-time-servers/syncserver-s600/?url=https://www.microsemi.com/campaigns/network-time-servers/S650p/%3Fgd%3D1&id=5&gclid=Cj0KCQjwjbyYBhCdARIsAArC6LL-202ej5YfDB5lMIMSZ2735qjo5yaj2i-PrvLv2Cnh_kIJtFJ0oF8aAlMpEALw_wcB