Sign-up

ID

VAR-202206-1863


CVE

CVE-2022-29957


TITLE

emerson's  DeltaV Distributed Control System  Vulnerability regarding lack of authentication for critical features in

Trust: 0.8

sources: JVNDB: JVNDB-2022-018036

DESCRIPTION

The Emerson DeltaV Distributed Control System (DCS) through 2022-04-29 mishandles authentication. It utilizes several proprietary protocols for a wide variety of functionality. These protocols include Firmware upgrade (18508/TCP, 18518/TCP); Plug-and-Play (18510/UDP); Hawk services (18507/UDP); Management (18519/TCP); Cold restart (18512/UDP); SIS communications (12345/TCP); and Wireless Gateway Protocol (18515/UDP). None of these protocols have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality. emerson's DeltaV Distributed Control System There is a vulnerability in the lack of authentication for critical features.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The system includes functions such as network security management, alarm management, batch control and change management

Trust: 1.71

sources: NVD: CVE-2022-29957 // JVNDB: JVNDB-2022-018036 // VULHUB: VHN-421452

AFFECTED PRODUCTS

vendor:emersonmodel:deltav distributed control systemscope:lteversion:2022-04-29

Trust: 1.0

vendor:エマソンmodel:deltav distributed control systemscope:eqversion: -

Trust: 0.8

vendor:エマソンmodel:deltav distributed control systemscope:lteversion:2022-04-29 and earlier

Trust: 0.8

vendor:エマソンmodel:deltav distributed control systemscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-018036 // NVD: CVE-2022-29957

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-29957
value: HIGH

Trust: 1.0

NVD: CVE-2022-29957
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202206-2922
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-29957
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-29957
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-018036 // CNNVD: CNNVD-202206-2922 // NVD: CVE-2022-29957

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.1

problemtype:Lack of authentication for critical features (CWE-306) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-421452 // JVNDB: JVNDB-2022-018036 // NVD: CVE-2022-29957

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202206-2922

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202206-2922

PATCH

title:Emerson DeltaV Distributed Control System Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=199423

Trust: 0.6

title:The Registerurl:https://www.theregister.co.uk/2022/06/21/56_vulnerabilities_critical_industrial/

Trust: 0.1

sources: VULMON: CVE-2022-29957 // CNNVD: CNNVD-202206-2922

EXTERNAL IDS

db:NVDid:CVE-2022-29957

Trust: 3.4

db:ICS CERTid:ICSA-22-181-03

Trust: 2.5

db:JVNid:JVNVU92990931

Trust: 0.8

db:JVNDBid:JVNDB-2022-018036

Trust: 0.8

db:CNNVDid:CNNVD-202206-2922

Trust: 0.7

db:CS-HELPid:SB2022071112

Trust: 0.6

db:VULHUBid:VHN-421452

Trust: 0.1

db:VULMONid:CVE-2022-29957

Trust: 0.1

sources: VULHUB: VHN-421452 // VULMON: CVE-2022-29957 // JVNDB: JVNDB-2022-018036 // CNNVD: CNNVD-202206-2922 // NVD: CVE-2022-29957

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-181-03

Trust: 2.5

url:https://www.forescout.com/blog/

Trust: 2.5

url:https://jvn.jp/vu/jvnvu92990931/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-29957

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022071112

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-181-03

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-29957/

Trust: 0.6

url:https://www.theregister.co.uk/2022/06/21/56_vulnerabilities_critical_industrial/

Trust: 0.1

sources: VULHUB: VHN-421452 // VULMON: CVE-2022-29957 // JVNDB: JVNDB-2022-018036 // CNNVD: CNNVD-202206-2922 // NVD: CVE-2022-29957

CREDITS

Daniel dos Santos and Jos Wetzels from Forescout Technologies reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202206-2922

SOURCES

db:VULHUBid:VHN-421452
db:VULMONid:CVE-2022-29957
db:JVNDBid:JVNDB-2022-018036
db:CNNVDid:CNNVD-202206-2922
db:NVDid:CVE-2022-29957

LAST UPDATE DATE

2024-08-14T13:53:12.648000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-421452date:2023-01-24T00:00:00
db:JVNDBid:JVNDB-2022-018036date:2023-10-18T07:24:00
db:CNNVDid:CNNVD-202206-2922date:2022-08-05T00:00:00
db:NVDid:CVE-2022-29957date:2023-01-24T16:07:16.410

SOURCES RELEASE DATE

db:VULHUBid:VHN-421452date:2022-07-26T00:00:00
db:JVNDBid:JVNDB-2022-018036date:2023-10-18T00:00:00
db:CNNVDid:CNNVD-202206-2922date:2022-06-30T00:00:00
db:NVDid:CVE-2022-29957date:2022-07-26T22:15:10.923