CVE-2022-30314
CVSS V2 None
CVSS V3 Medium 4.6
Description
Honeywell Experion PKS Safety Manager 5.02 uses Hard-coded Credentials. According to FSCT-2022-0052, there is a Honeywell Experion PKS Safety Manager hardcoded credentials issue. The affected components are characterized as: POLO bootloader. The potential impact is: Manipulate firmware. The Honeywell Experion PKS Safety Manager utilizes the DCOM-232/485 serial interface for firmware management purposes. When booting, the Safety Manager exposes the Enea POLO bootloader via this interface. Access to the boot configuration is controlled by means of credentials hardcoded in the Safety Manager firmware. The credentials for the bootloader are hardcoded in the firmware. An attacker with access to the serial interface (either through physical access, a compromised EWS or an exposed serial-to-ethernet gateway) can utilize these credentials to control the boot process and manipulate the unauthenticated firmware image (see FSCT-2022-0054).
Overview
- CVE ID
- CVE-2022-30314
- Assigner
- cve@mitre.org
- Vulnerability Status
- Analyzed
- Published Version
- 2022-07-28T16:15:10
- Last Modified Date
- 2022-08-05T22:29:00
Weakness Enumerations
CPE Configuration (Product)
CPE | Vulnerable | Operator | Version Start | Version End |
---|---|---|---|---|
AND | ||||
cpe:2.3:o:honeywell:safety_manager_firmware:*:*:*:*:*:*:*:* | 1 | OR | r160.1 | |
cpe:2.3:h:honeywell:safety_manager:-:*:*:*:*:*:*:* | 0 | OR |
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- Attack Vector
- PHYSICAL
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- NONE
- Availability Impact
- NONE
- Base Score
- 4.6
- Base Severity
- MEDIUM
- Exploitability Score
- 0.9
- Impact Score
- 3.6
References
Reference URL | Reference Tags |
---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-207-02 | |
https://www.forescout.com/blog/ |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-30314 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30314 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2022-07-28 17:01:08 | Added to TrackCVE |