CVE-2022-29959

EUVD-2022-34266
Emerson OpenBSI through 2022-04-29 mishandles credential storage. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. This environment provides access control functionality through user authentication and privilege management. The credentials for various users are stored insecurely in the SecUsers.ini file by using a simple string transformation rather than a cryptographic mechanism.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
Affected Products (NVD)
VendorProductVersion
emersonopenbsi
𝑥
< 5.9
emersonopenbsi
5.9
emersonopenbsi
5.9:sp1
emersonopenbsi
5.9:sp2
emersonopenbsi
5.9:sp3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.cisa.gov/uscert/ics/advisories/icsa-22-221-03
https://www.forescout.com/blog/
https://www.cisa.gov/uscert/ics/advisories/icsa-22-221-03
https://www.forescout.com/blog/