CVE-2022-30275

EUVD-2022-52230

26.07.2022, 22:15

The Motorola MOSCAD Toolbox software through 2022-05-02 relies on a cleartext password. It utilizes an MDLC driver to communicate with MOSCAD/ACE RTUs for engineering purposes. Access to these communications is protected by a password stored in cleartext in the wmdlcdrv.ini driver configuration file. In addition, this password is used for access control to MOSCAD/STS projects protected with the Legacy Password feature. In this case, an insecure CRC of the password is present in the project file: this CRC is validated against the password in the driver configuration file.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 30%

Affected Products (NVD)

Vendor	Product	Version
motorolasolutions	mdlc	4.80.0024
motorolasolutions	mdlc	4.82.004
motorolasolutions	mdlc	4.83.001

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-312 - Cleartext Storage of Sensitive Information
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-05

https://www.forescout.com/blog/

https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-05

https://www.forescout.com/blog/