CVE-2022-29957

Summary

CVE	CVE-2022-29957
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-07-26 22:15:00 UTC
Updated	2023-01-24 16:07:00 UTC
Description	The Emerson DeltaV Distributed Control System (DCS) through 2022-04-29 mishandles authentication. It utilizes several proprietary protocols for a wide variety of functionality. These protocols include Firmware upgrade (18508/TCP, 18518/TCP); Plug-and-Play (18510/UDP); Hawk services (18507/UDP); Management (18519/TCP); Cold restart (18512/UDP); SIS communications (12345/TCP); and Wireless Gateway Protocol (18515/UDP). None of these protocols have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality.

Risk And Classification

Problem Types: CWE-306

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Emerson	Deltav Distributed Control System	All	All	All	All
Application	Emerson	Deltav Distributed Control System Firmware	All	All	All	All

References

Reference	Source	Link	Tags
Emerson DeltaV Distributed Control System \| CISA	MISC	www.cisa.gov
Blog - Forescout	MISC	www.forescout.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

591249 Emerson DeltaV Distributed Control System Multiple Vulnerabilities (ICSA-22-181-03)