CVE-2022-29965 in DeltaV Distributed Control Systeminformación

Resumen

por MITRE • 2022-07-27

The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. Access to privileged operations on the maintenance port TELNET interface (23/TCP) on M-series and SIS (CSLS/LSNB/LSNG) nodes is controlled by means of utility passwords. These passwords are generated using a deterministic, insecure algorithm using a single seed value composed of a day/hour/minute timestamp with less than 16 bits of entropy. The seed value is fed through a lookup table and a series of permutation operations resulting in three different four-character passwords corresponding to different privilege levels. An attacker can easily reconstruct these passwords and thus gain access to privileged maintenance operations. NOTE: this is different from CVE-2014-2350.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Reservar

2022-04-29

Divulgación

2022-07-27

Moderación

aceptado

Artículo

VDB-205119

CPE

listo

EPSS

0.00171

KEV

no

Actividades

muy bajo

Fuentes

Interested in the pricing of exploits?

See the underground prices here!