CVE-2022-29962 — MEDIUM (5.5)

Q: How severe is CVE-2022-29962?

CVE-2022-29962 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-29962?

Check the references section above for vendor advisories and patch information. Affected products include: Emerson Deltav Distributed Control System Sq Controller Firmware, Emerson Deltav Distributed Control System Sq Controller, Emerson Deltav Distributed Control System Sx Controller Firmware, Emerson Deltav Distributed Control System Sx Controller, Emerson Se4002S1T2B6 High Side 40-Pin Mass I\/O Terminal Block Firmware.

Vulnerability Description

The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. FTP has hardcoded credentials (but may often be disabled in production). This affects S-series, P-series, and CIOC/EIOC nodes. NOTE: this is different from CVE-2014-2350.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Emerson	Deltav Distributed Control System Sq Controller Firmware	<= 2022-04-29
Emerson	Deltav Distributed Control System Sq Controller	-
Emerson	Deltav Distributed Control System Sx Controller Firmware	<= 2022-04-29
Emerson	Deltav Distributed Control System Sx Controller	-
Emerson	Se4002S1T2B6 High Side 40-Pin Mass I\/O Terminal Block Firmware	<= 2022-04-29
Emerson	Se4002S1T2B6 High Side 40-Pin Mass I\/O Terminal Block	-
Emerson	Se4003S2B4 16-Pin Mass I\/O Terminal Block Firmware	<= 2022-04-29
Emerson	Se4003S2B4 16-Pin Mass I\/O Terminal Block	-
Emerson	Se4003S2B524-Pin Mass I\/O Terminal Block Firmware	<= 2022-04-29
Emerson	Se4003S2B524-Pin Mass I\/O Terminal Block	-
Emerson	Se4017P0 H1 I\/O Interface Card And Terminl Block Firmware	<= 2022-04-29
Emerson	Se4017P0 H1 I\/O Interface Card And Terminl Block	-
Emerson	Se4017P1 H1 I\/O Card With Integrated Power Firmware	<= 2022-04-29
Emerson	Se4017P1 H1 I\/O Card With Integrated Power	-
Emerson	Se4019P0 Simplex H1 4-Port Plus Fieldbus I\/O Interface With Terminalblock Firmware	<= 2022-04-29
Emerson	Se4019P0 Simplex H1 4-Port Plus Fieldbus I\/O Interface With Terminalblock	-
Emerson	Se4026 Virtual I\/O Module 2 Firmware	<= 2022-04-29
Emerson	Se4026 Virtual I\/O Module 2	-
Emerson	Se4027 Virtual I\/O Module 2 Firmware	<= 2022-04-29
Emerson	Se4027 Virtual I\/O Module 2	-

Related Weaknesses (CWE)

CWE-798

References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-181-03Third Party AdvisoryUS Government Resource
https://www.forescout.com/blog/Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-181-03Third Party AdvisoryUS Government Resource
https://www.forescout.com/blog/Third Party Advisory

FAQ

What is CVE-2022-29962?

CVE-2022-29962 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. FTP has hardcoded credentials (but may often be disabled in production). This affects ...

How severe is CVE-2022-29962?

CVE-2022-29962 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-29962?

Check the references section above for vendor advisories and patch information. Affected products include: Emerson Deltav Distributed Control System Sq Controller Firmware, Emerson Deltav Distributed Control System Sq Controller, Emerson Deltav Distributed Control System Sx Controller Firmware, Emerson Deltav Distributed Control System Sx Controller, Emerson Se4002S1T2B6 High Side 40-Pin Mass I\/O Terminal Block Firmware.