CVE-2022-29959

Emerson OpenBSI through 2022-04-29 mishandles credential storage. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. This environment provides access control functionality through user authentication and privilege management. The credentials for various users are stored insecurely in the SecUsers.ini file by using a simple string transformation rather than a cryptographic mechanism.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
emersonopenbsi
𝑥
< 5.9
emersonopenbsi
5.9
emersonopenbsi
5.9:sp1
emersonopenbsi
5.9:sp2
emersonopenbsi
5.9:sp3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.cisa.gov/uscert/ics/advisories/icsa-22-221-03
https://www.forescout.com/blog/
https://www.cisa.gov/uscert/ics/advisories/icsa-22-221-03
https://www.forescout.com/blog/