Vulnerability Description
JTEKT TOYOPUC PLCs through 2022-04-29 do not ensure data integrity. They utilize the unauthenticated CMPLink/TCP protocol for engineering purposes, including downloading projects and control logic to the PLC. Control logic is downloaded to the PLC on a block-by-block basis with a given memory address and a blob of machine code. The logic that is downloaded to the PLC is not cryptographically authenticated, allowing an attacker to execute arbitrary machine code on the PLC's CPU module in the context of the runtime. In the case of the PC10G-CPU, and likely for other CPU modules of the TOYOPUC family, a processor without MPU or MMU is used and this no memory protection or privilege-separation capabilities are available, giving an attacker full control over the CPU.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jtekt | Pc10G-Cpu Tcc-6353 Firmware | - |
| Jtekt | Pc10G-Cpu Tcc-6353 | - |
| Jtekt | Pc10Ge Tcc-6464 Firmware | - |
| Jtekt | Pc10Ge Tcc-6464 | - |
| Jtekt | Pc10P Tcc-6372 Firmware | - |
| Jtekt | Pc10P Tcc-6372 | - |
| Jtekt | Pc10P-Dp Tcc-6726 Firmware | - |
| Jtekt | Pc10P-Dp Tcc-6726 | - |
| Jtekt | Pc10P-Dp-Io Tcc-6752 Firmware | - |
| Jtekt | Pc10P-Dp-Io Tcc-6752 | - |
| Jtekt | Pc10B-P Tcc-6373 Firmware | - |
| Jtekt | Pc10B-P Tcc-6373 | - |
| Jtekt | Pc10B Tcc-1021 Firmware | - |
| Jtekt | Pc10B Tcc-1021 | - |
| Jtekt | Pc10E Tcc-4737 Firmware | - |
| Jtekt | Pc10E Tcc-4737 | - |
| Jtekt | Pc10El Tcc-4747 Firmware | - |
| Jtekt | Pc10El Tcc-4747 | - |
| Jtekt | Plus Cpu Tcc-6740 Firmware | - |
| Jtekt | Plus Cpu Tcc-6740 | - |
Related Weaknesses (CWE)
References
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-172-02Third Party AdvisoryUS Government Resource
- https://www.forescout.com/blog/Third Party Advisory
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-172-02Third Party AdvisoryUS Government Resource
- https://www.forescout.com/blog/Third Party Advisory
FAQ
What is CVE-2022-29958?
CVE-2022-29958 is a vulnerability with a CVSS score of 9.8 (CRITICAL). JTEKT TOYOPUC PLCs through 2022-04-29 do not ensure data integrity. They utilize the unauthenticated CMPLink/TCP protocol for engineering purposes, including downloading projects and control logic to ...
How severe is CVE-2022-29958?
CVE-2022-29958 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-29958?
Check the references section above for vendor advisories and patch information. Affected products include: Jtekt Pc10G-Cpu Tcc-6353 Firmware, Jtekt Pc10G-Cpu Tcc-6353, Jtekt Pc10Ge Tcc-6464 Firmware, Jtekt Pc10Ge Tcc-6464, Jtekt Pc10P Tcc-6372 Firmware.