CVE-2022-30269

Summary

CVE	CVE-2022-30269
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-07-26 23:15:00 UTC
Updated	2022-08-02 20:03:00 UTC
Description	Motorola ACE1000 RTUs through 2022-05-02 mishandle application integrity. They allow for custom application installation via either STS software, the C toolkit, or the ACE1000 Easy Configurator. In the case of the Easy Configurator, application images (as PLX/DAT/APP/CRC files) are uploaded via the Web UI. In case of the C toolkit, they are transferred and installed using SFTP/SSH. In each case, application images were found to have no authentication (in the form of firmware signing) and only relied on insecure checksums for regular integrity checks.

Risk And Classification

Problem Types: CWE-345

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Motorola	Ace1000	-	All	All	All
Operating System	Motorola	Ace1000 Firmware	-	All	All	All

References

Reference	Source	Link	Tags
Motorola Solutions ACE1000 \| CISA	MISC	www.cisa.gov
Blog - Forescout	MISC	www.forescout.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159984 Oracle Enterprise Linux Security Update for ol8addon (ELSA-2022-17957)