ID

VAR-202206-2263


CVE

CVE-2022-29962


TITLE

Hardcoded Credentials Usage Vulnerability in Multiple Emerson Products

Trust: 0.8

sources: JVNDB: JVNDB-2022-018034

DESCRIPTION

The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. FTP has hardcoded credentials (but may often be disabled in production). This affects S-series, P-series, and CIOC/EIOC nodes. NOTE: this is different from CVE-2014-2350. DeltaV Distributed Control System SQ controller firmware, DeltaV Distributed Control System SX controller firmware, SE4002S1T2B6 High Side 40-Pin Mass I/O Terminal Block Multiple Emerson products, including firmware, contain vulnerabilities related to the use of hard-coded credentials.Information may be obtained. Emerson DeltaV Distributed Control System

Trust: 1.71

sources: NVD: CVE-2022-29962 // JVNDB: JVNDB-2022-018034 // VULMON: CVE-2022-29962

AFFECTED PRODUCTS

vendor:emersonmodel:se4017p1 h1 i\/o card with integrated powerscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:ve4105 ethernet\/ip interface for ethernet connected i\/o \scope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4037p1 redundant h1 i\/o card with integrated power and terminal blockscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4082s1t2b8 high side 40-pin do mass i\/o terminal blockscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:ve4103 modbus tcp interface for ethernet connected i\/o \scope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:ve4107 iec 61850 mms interface for ethernet connected i\/o \scope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4003s2b524-pin mass i\/o terminal blockscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4027 virtual i\/o module 2scope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4019p0 simplex h1 4-port plus fieldbus i\/o interface with terminalblockscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:ve4104 ethernet\/ip control tag integration for ethernet connected i\/o \scope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4037p0 h1 i\/o interface card and terminl blockscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4017p0 h1 i\/o interface card and terminl blockscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4026 virtual i\/o module 2scope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4032s1t2b8 high side 40-pin do mass i\/o terminal blockscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4003s2b4 16-pin mass i\/o terminal blockscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4002s1t2b6 high side 40-pin mass i\/o terminal blockscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:ve4106 opc-ua client for ethernet connected i\/o \scope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4039p0 redundant h1 4-port plus fieldbus i\/o interface with terminalblockscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:deltav distributed control system sq controllerscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4052s1t2b6 high side 40-pin mass i\/o terminal blockscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:deltav distributed control system sx controllerscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4100 simplex ethernet i\/o card \ assemblyscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4101 simplex ethernet i\/o card \ assemblyscope:lteversion:2022-04-29

Trust: 1.0

vendor:emersonmodel:se4801t0x redundant wireless i\/o cardscope:lteversion:2022-04-29

Trust: 1.0

vendor:エマソンmodel:se4101 simplex ethernet i/o card assemblyscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4003s2b524-pin mass i/o terminal blockscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4052s1t2b6 high side 40-pin mass i/o terminal blockscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4037p1 redundant h1 i/o card with integrated power and terminal blockscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4032s1t2b8 high side 40-pin do mass i/o terminal blockscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4082s1t2b8 high side 40-pin do mass i/o terminal blockscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4100 simplex ethernet i/o card assemblyscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4801t0x redundant wireless i/o cardscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4019p0 simplex h1 4-port plus fieldbus i/o interface with terminalblockscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4037p0 h1 i/o interface card and terminl blockscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4003s2b4 16-pin mass i/o terminal blockscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4026 virtual i/o module 2scope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4039p0 redundant h1 4-port plus fieldbus i/o interface with terminalblockscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4017p1 h1 i/o card with integrated powerscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4017p0 h1 i/o card and terminal blockscope: - version: -

Trust: 0.8

vendor:エマソンmodel:deltav distributed control system sq コントローラscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4027 virtual i/o module 2scope: - version: -

Trust: 0.8

vendor:エマソンmodel:ve4103 modbus tcp interface for ethernet connected i/oscope: - version: -

Trust: 0.8

vendor:エマソンmodel:se4002s1t2b6 high side 40-pin mass i/o terminal blockscope: - version: -

Trust: 0.8

vendor:エマソンmodel:deltav distributed control system sx コントローラscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-018034 // NVD: CVE-2022-29962

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-29962
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-29962
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202206-2918
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-29962
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-29962
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-018034 // CNNVD: CNNVD-202206-2918 // NVD: CVE-2022-29962

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.0

problemtype:Use hard-coded credentials (CWE-798) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-018034 // NVD: CVE-2022-29962

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202206-2918

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202206-2918

PATCH

title:Emerson DeltaV Distributed Control System Repair measures for trust management problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=202540

Trust: 0.6

sources: CNNVD: CNNVD-202206-2918

EXTERNAL IDS

db:NVDid:CVE-2022-29962

Trust: 3.3

db:ICS CERTid:ICSA-22-181-03

Trust: 2.5

db:JVNid:JVNVU92990931

Trust: 0.8

db:JVNDBid:JVNDB-2022-018034

Trust: 0.8

db:CS-HELPid:SB2022071112

Trust: 0.6

db:CNNVDid:CNNVD-202206-2918

Trust: 0.6

db:VULMONid:CVE-2022-29962

Trust: 0.1

sources: VULMON: CVE-2022-29962 // JVNDB: JVNDB-2022-018034 // CNNVD: CNNVD-202206-2918 // NVD: CVE-2022-29962

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-181-03

Trust: 2.5

url:https://www.forescout.com/blog/

Trust: 2.4

url:https://jvn.jp/vu/jvnvu92990931/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-29962

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022071112

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-29962/

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-181-03

Trust: 0.6

sources: VULMON: CVE-2022-29962 // JVNDB: JVNDB-2022-018034 // CNNVD: CNNVD-202206-2918 // NVD: CVE-2022-29962

CREDITS

Daniel dos Santos and Jos Wetzels from Forescout Technologies reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202206-2918

SOURCES

db:VULMONid:CVE-2022-29962
db:JVNDBid:JVNDB-2022-018034
db:CNNVDid:CNNVD-202206-2918
db:NVDid:CVE-2022-29962

LAST UPDATE DATE

2024-08-14T13:53:12.514000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2022-018034date:2023-10-18T07:23:00
db:CNNVDid:CNNVD-202206-2918date:2022-08-05T00:00:00
db:NVDid:CVE-2022-29962date:2022-08-04T15:56:16.620

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2022-018034date:2023-10-18T00:00:00
db:CNNVDid:CNNVD-202206-2918date:2022-06-30T00:00:00
db:NVDid:CVE-2022-29962date:2022-07-26T22:15:11.050