CVE-2022-30262

Опубликовано: 17 авг. 2022

Источник: nvd

CVSS3: 7.8

EPSS Низкий

Описание

The Emerson ControlWave 'Next Generation' RTUs through 2022-05-02 mishandle firmware integrity. They utilize the BSAP-IP protocol to transmit firmware updates. Firmware updates are supplied as CAB archive files containing a binary firmware image. In all cases, firmware images were found to have no authentication (in the form of firmware signing) and only relied on insecure checksums for regular integrity checks.

Ссылки

https://www.cisa.gov/uscert/ics/advisories/icsa-22-221-02
Mitigation
Third Party Advisory
US Government Resource
https://www.forescout.com/blog/
Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-221-02
Mitigation
Third Party Advisory
US Government Resource
https://www.forescout.com/blog/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:emerson:controlwave_pac_firmware:*:*:*:*:*:*:*:*

Версия до 2022-05-02 (включая)

cpe:2.3:h:emerson:controlwave_pac:-:*:*:*:*:*:*:*

Конфигурация 2

Одновременно

cpe:2.3:o:emerson:controlwave_micro_firmware:*:*:*:*:*:*:*:*

Версия до 2022-05-02 (включая)

cpe:2.3:h:emerson:controlwave_micro:-:*:*:*:*:*:*:*

EPSS

Процентиль: 6%

0.00024

Низкий

7.8 High

CVSS3

Дефекты

CWE-345

Связанные уязвимости

GHSA-g3xq-mfm7-v29h