CVE-2022-29952 — CRITICAL (9.1)

Q: How severe is CVE-2022-29952?

CVE-2022-29952 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-29952?

Check the references section above for vendor advisories and patch information. Affected products include: Bakerhughes Bently Nevada 3701\/40 Firmware, Bakerhughes Bently Nevada 3701\/40, Bakerhughes Bently Nevada 3701\/44 Firmware, Bakerhughes Bently Nevada 3701\/44, Bakerhughes Bently Nevada 3701\/46 Firmware.

Vulnerability Description

Bently Nevada condition monitoring equipment through 2022-04-29 mishandles authentication. It utilizes the TDI command and data protocols (60005/TCP, 60007/TCP) for communications between the monitoring controller and System 1 and/or Bently Nevada Monitor Configuration (BNMC) software. These protocols provide configuration management and historical data related functionality. Neither protocol has any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Bakerhughes	Bently Nevada 3701\/40 Firmware	< 4.1
Bakerhughes	Bently Nevada 3701\/40	-
Bakerhughes	Bently Nevada 3701\/44 Firmware	< 4.1
Bakerhughes	Bently Nevada 3701\/44	-
Bakerhughes	Bently Nevada 3701\/46 Firmware	< 4.1
Bakerhughes	Bently Nevada 3701\/46	-
Bakerhughes	Bently Nevada 60M100 Firmware	-
Bakerhughes	Bently Nevada 60M100	-

Related Weaknesses (CWE)

CWE-306

References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-188-02MitigationThird Party AdvisoryUS Government Resource
https://www.forescout.com/blog/Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-188-02MitigationThird Party AdvisoryUS Government Resource
https://www.forescout.com/blog/Third Party Advisory

FAQ

What is CVE-2022-29952?

CVE-2022-29952 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Bently Nevada condition monitoring equipment through 2022-04-29 mishandles authentication. It utilizes the TDI command and data protocols (60005/TCP, 60007/TCP) for communications between the monitori...

How severe is CVE-2022-29952?

CVE-2022-29952 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-29952?

Check the references section above for vendor advisories and patch information. Affected products include: Bakerhughes Bently Nevada 3701\/40 Firmware, Bakerhughes Bently Nevada 3701\/40, Bakerhughes Bently Nevada 3701\/44 Firmware, Bakerhughes Bently Nevada 3701\/44, Bakerhughes Bently Nevada 3701\/46 Firmware.