CVE-2022-29960 in OpenBSIinfo

Summary

by MITRE • 07/27/2022

Emerson OpenBSI through 2022-04-29 uses weak cryptography. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. DES with hardcoded cryptographic keys is used for protection of certain system credentials, engineering files, and sensitive utilities.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 08/27/2022

The vulnerability identified as CVE-2022-29960 affects Emerson OpenBSI software version 2022-04-29 and earlier, representing a critical weakness in the cryptographic implementation of the ControlWave and Bristol Babcock line of Remote Terminal Units. This engineering environment utilizes outdated and insecure cryptographic practices that fundamentally compromise the security posture of industrial control systems. The flaw specifically involves the use of Data Encryption Standard with hardcoded cryptographic keys for protecting system credentials, engineering files, and sensitive utilities within the RTU environment. This represents a severe configuration vulnerability that directly violates established cryptographic security principles and industry best practices for industrial control systems.

The technical implementation of this vulnerability stems from the use of DES encryption algorithm with hardcoded keys, which constitutes a fundamental cryptographic weakness that has been deprecated for decades due to its inherent security limitations. The DES algorithm, with its 56-bit key length, provides minimal security against modern cryptanalytic attacks and is vulnerable to brute force attacks within reasonable timeframes. When combined with hardcoded keys, the vulnerability becomes even more severe as these keys are embedded within the software itself, making them easily discoverable through reverse engineering or static analysis. This approach directly contravenes the principle of key separation and proper cryptographic key management practices that are essential for protecting sensitive industrial control system data. The weakness operates at the core of the system's authentication and authorization mechanisms, potentially exposing critical system credentials and engineering configurations that should remain protected from unauthorized access.

The operational impact of this vulnerability extends beyond simple credential exposure to encompass the complete compromise of industrial control system integrity and availability. Attackers who discover the hardcoded DES keys can gain unauthorized access to system credentials, potentially enabling them to modify engineering files, access sensitive utilities, and manipulate control system operations. This vulnerability particularly affects the ControlWave and Bristol Babcock RTU platforms, which are commonly deployed in critical infrastructure environments including power generation, water treatment, and manufacturing facilities. The exposure of engineering files through this weakness could allow adversaries to understand system configurations, identify potential attack vectors, and develop more sophisticated exploitation techniques. From an operational security perspective, this vulnerability creates a persistent backdoor that remains active regardless of system updates or user authentication attempts, making it particularly dangerous for industrial environments where system availability and security are paramount.

Mitigation strategies for this vulnerability must address both immediate remediation and long-term architectural improvements to prevent similar cryptographic weaknesses in industrial control systems. The primary recommendation involves immediate replacement of the hardcoded DES encryption with modern cryptographic standards including AES-256 encryption with properly managed keys that are generated dynamically and stored securely. Organizations should implement proper key management practices that include key rotation, secure key storage mechanisms, and access controls that limit who can access cryptographic materials. This vulnerability aligns with CWE-327, which specifically addresses the use of weak cryptographic algorithms, and represents a clear violation of NIST SP 800-57 guidelines for cryptographic key management. Additionally, from an ATT&CK framework perspective, this vulnerability maps to techniques such as credential access and defense evasion, as attackers can leverage the hardcoded keys to maintain persistent access to industrial control systems without detection. The remediation process should include comprehensive code review to identify any other instances of weak cryptography, implementation of secure coding practices, and regular security assessments to ensure that cryptographic implementations meet current industry standards for industrial control systems.

Reservation

04/29/2022

Disclosure

07/27/2022

Moderation

accepted

CPE

ready

EPSS

0.00475

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!