CVE-2022-30316

{"id": "CVE-2022-30316", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}]}, "published": "2022-07-28T16:15:11.277", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-207-02", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "source": "cve@mitre.org"}, {"url": "https://www.forescout.com/blog/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-354"}]}], "descriptions": [{"lang": "en", "value": "Honeywell Experion PKS Safety Manager 5.02 has Insufficient Verification of Data Authenticity. According to FSCT-2022-0054, there is a Honeywell Experion PKS Safety Manager unauthenticated firmware update issue. The affected components are characterized as: Firmware update functionality. The potential impact is: Firmware manipulation. The Honeywell Experion PKS Safety Manager utilizes the DCOM-232/485 communication FTA serial interface and Enea POLO bootloader for firmware management purposes. An engineering workstation running the Safety Builder software communicates via serial or serial-over-ethernet link with the DCOM-232/485 interface. Firmware images were found to have no authentication (in the form of firmware signing) and only relied on insecure checksums for regular integrity checks. Firmware images are unsigned. An attacker with access to the serial interface (either through physical access, a compromised EWS or an exposed serial-to-ethernet gateway) can utilize hardcoded credentials (see FSCT-2022-0052) for the POLO bootloader to control the boot process and push malicious firmware images to the controller allowing for firmware manipulation, remote code execution and denial of service impacts. A mitigating factor is that in order for a firmware update to be initiated, the Safety Manager has to be rebooted which is typically done by means of physical controls on the Safety Manager itself. As such, an attacker would have to either lay dormant until a legitimate reboot occurs or possibly attempt to force a reboot through a secondary vulnerability."}, {"lang": "es", "value": "Honeywell Experion PKS Safety Manager versi\u00f3n 5.02, presenta una verificaci\u00f3n insuficiente de la autenticidad de los datos. De acuerdo con FSCT-2022-0054, se presenta un problema de actualizaci\u00f3n de firmware no autenticado de Honeywell Experion PKS Safety Manager. Los componentes afectados son caracterizados como: Funcionalidad de actualizaci\u00f3n de firmware. El impacto potencial es: Manipulaci\u00f3n del firmware. El Honeywell Experion PKS Safety Manager usa la interfaz de serie FTA de comunicaci\u00f3n DCOM-232/485 y el bootloader Enea POLO para la administraci\u00f3n del firmware. Una estaci\u00f3n de trabajo de ingenier\u00eda que ejecuta el software Safety Builder es comunicado por medio de un enlace de serie o de serie sobre red con la interfaz DCOM-232/485. Se comprob\u00f3 que las im\u00e1genes de firmware no presentan autenticaci\u00f3n (en forma de firma de firmware) y s\u00f3lo son basadas en sumas de comprobaci\u00f3n no seguras para las comprobaciones peri\u00f3dicas de integridad. Las im\u00e1genes de firmware no est\u00e1n firmadas. Un atacante con acceso a la interfaz serie (ya sea mediante un acceso f\u00edsico, un EWS comprometido o una puerta de enlace serie-ethernet expuesta) puede usar credenciales embebidas (ver FSCT-2022-0052) para el cargador de arranque POLO para controlar el proceso de arranque y enviar im\u00e1genes de firmware maliciosas al controlador, lo que permite una manipulaci\u00f3n del firmware, una ejecuci\u00f3n de c\u00f3digo remota y una denegaci\u00f3n de servicio. Un factor atenuante es que para que sea iniciada una actualizaci\u00f3n de firmware, el administrador de seguridad debe ser reiniciado, lo que normalmente es hecho mediante controles f\u00edsicos en el propio gestor de seguridad. Por lo tanto, un atacante tendr\u00eda que permanecer inactivo hasta que sea producido un reinicio leg\u00edtimo o posiblemente intentar forzar un reinicio mediante una vulnerabilidad secundaria"}], "lastModified": "2022-08-05T22:31:22.577", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:honeywell:safety_manager_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51819C44-DBCB-4FDB-8413-0268012EADF1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:honeywell:safety_manager:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "6E6B8510-74F7-4B1F-A59A-0FC4261DFE90"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}