github - ghsa-p288-3mcf-2f3w

ghsa-p288-3mcf-2f3w

Vulnerability from github

Published

2025-04-11 18:31

Modified

2025-04-11 18:31

Severity ?

4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Details

Subnet Solutions PowerSYSTEM Center's SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters.

Show details on source website

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-31354"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-11T16:15:19Z",
    "severity": "MODERATE"
  },
  "details": "Subnet Solutions PowerSYSTEM Center\u0027s SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters.",
  "id": "GHSA-p288-3mcf-2f3w",
  "modified": "2025-04-11T18:31:06Z",
  "published": "2025-04-11T18:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31354"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-08"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

CVE-2025-31354 (GCVE-0-2025-31354)

Vulnerability from cvelistv5

Published

2025-04-11 15:30

Modified

2025-04-11 16:13

Severity ?

4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-125

Summary

Subnet Solutions PowerSYSTEM Center's SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters.

References

URL

Tags

https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-08

Impacted products

	Vendor	Product	Version
	Subnet Solutions	PowerSYSTEM Center 2020	Version: 0 <

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-31354",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-11T16:12:54.523904Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-11T16:13:34.583Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PowerSYSTEM Center 2020",
          "vendor": "Subnet Solutions",
          "versions": [
            {
              "lessThanOrEqual": "5.24.x",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Subnet Solutions Inc. reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSubnet Solutions\u003c/span\u003e PowerSYSTEM Center\u0027s SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters.\u003c/span\u003e"
            }
          ],
          "value": "Subnet Solutions PowerSYSTEM Center\u0027s SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-11T15:30:24.676Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-08"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSubnet Solutions Inc. recommends users update PowerSYSTEM Center (PSC) to the latest versions:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePSC 2020 Update 25\u003c/li\u003e\u003cli\u003ePSC 2024\u003c/li\u003e\u003c/ul\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor assistance with updating PSC, reach out directly to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\"\u003eSubnet Solutions\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Subnet Solutions Inc. recommends users update PowerSYSTEM Center (PSC) to the latest versions:\n\n  *  PSC 2020 Update 25\n  *  PSC 2024\n\n\n\n\n\n\nFor assistance with updating PSC, reach out directly to Subnet Solutions."
        }
      ],
      "source": {
        "advisory": "ICSA-25-100-08",
        "discovery": "INTERNAL"
      },
      "title": "Subnet Solutions PowerSYSTEM Center Out-of-Bounds Read",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIf updating PSC is not possible, Subnet Solutions Inc recommends users apply the following mitigations to help reduce risk:\u003c/p\u003e\u003cul\u003e\u003cli\u003eDisable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings.\u003c/li\u003e\u003cli\u003eConfigure PowerSYSTEM Center DCS network firewall to only allow connections to an approved and authorized email server.\u003c/li\u003e\u003cli\u003eManage administrator access to PowerSYSTEM Center DCS operating system.\u003c/li\u003e\u003cli\u003eMonitor user activity records to ensure users are following acceptable usage policies of the application.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "If updating PSC is not possible, Subnet Solutions Inc recommends users apply the following mitigations to help reduce risk:\n\n  *  Disable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings.\n  *  Configure PowerSYSTEM Center DCS network firewall to only allow connections to an approved and authorized email server.\n  *  Manage administrator access to PowerSYSTEM Center DCS operating system.\n  *  Monitor user activity records to ensure users are following acceptable usage policies of the application."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-31354",
    "datePublished": "2025-04-11T15:30:24.676Z",
    "dateReserved": "2025-04-08T00:02:45.758Z",
    "dateUpdated": "2025-04-11T16:13:34.583Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.