CVE-2022-30262
CVSS V2 None
CVSS V3 High 7.8
Description
The Emerson ControlWave 'Next Generation' RTUs through 2022-05-02 mishandle firmware integrity. They utilize the BSAP-IP protocol to transmit firmware updates. Firmware updates are supplied as CAB archive files containing a binary firmware image. In all cases, firmware images were found to have no authentication (in the form of firmware signing) and only relied on insecure checksums for regular integrity checks.
Overview
- CVE ID
- CVE-2022-30262
- Assigner
- cve@mitre.org
- Vulnerability Status
- Analyzed
- Published Version
- 2022-08-17T15:15:08
- Last Modified Date
- 2022-08-20T02:43:15
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| AND | ||||
| cpe:2.3:o:emerson:controlwave_pac_firmware:*:*:*:*:*:*:*:* | 1 | OR | 2022-05-02 | |
| cpe:2.3:h:emerson:controlwave_pac:-:*:*:*:*:*:*:* | 0 | OR | ||
| AND | ||||
| cpe:2.3:o:emerson:controlwave_micro_firmware:*:*:*:*:*:*:*:* | 1 | OR | 2022-05-02 | |
| cpe:2.3:h:emerson:controlwave_micro:-:*:*:*:*:*:*:* | 0 | OR |
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Attack Vector
- LOCAL
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- HIGH
- Base Score
- 7.8
- Base Severity
- HIGH
- Exploitability Score
- 1.8
- Impact Score
- 5.9
References
| Reference URL | Reference Tags |
|---|---|
| https://www.forescout.com/blog/ | |
| https://www.cisa.gov/uscert/ics/advisories/icsa-22-221-02 |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-30262 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30262 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-08-17 16:00:10 | Added to TrackCVE |