Vulnerability Description
Honeywell Alerton Compass Software 1.6.5 allows unauthenticated configuration changes from remote users. This enables configuration data to be stored on the controller and then implemented. A user with malicious intent can send a crafted packet to change the controller configuration without the knowledge of other users, altering the controller's function capabilities. The changed configuration is not updated in the User Interface, which creates an inconsistency between the configuration display and the actual configuration on the controller. After the configuration change, remediation requires reverting to the correct configuration, requiring either physical or remote access depending on the configuration that was altered.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Honeywell | Alerton Compass | 1.6.5 |
Related Weaknesses (CWE)
References
- https://blog.scadafence.comThird Party Advisory
- https://github.com/scadafence/Honeywell-Alerton-VulnerabilitiesThird Party Advisory
- https://www.honeywell.com/us/en/product-securityVendor Advisory
- https://blog.scadafence.comThird Party Advisory
- https://github.com/scadafence/Honeywell-Alerton-VulnerabilitiesThird Party Advisory
- https://www.honeywell.com/us/en/product-securityVendor Advisory
FAQ
What is CVE-2022-30245?
CVE-2022-30245 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Honeywell Alerton Compass Software 1.6.5 allows unauthenticated configuration changes from remote users. This enables configuration data to be stored on the controller and then implemented. A user wit...
How severe is CVE-2022-30245?
CVE-2022-30245 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-30245?
Check the references section above for vendor advisories and patch information. Affected products include: Honeywell Alerton Compass.