Vulnerability Description
The Emerson ControlWave 'Next Generation' RTUs through 2022-05-02 mishandle firmware integrity. They utilize the BSAP-IP protocol to transmit firmware updates. Firmware updates are supplied as CAB archive files containing a binary firmware image. In all cases, firmware images were found to have no authentication (in the form of firmware signing) and only relied on insecure checksums for regular integrity checks.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Emerson | Controlwave Pac Firmware | <= 2022-05-02 |
| Emerson | Controlwave Pac | - |
| Emerson | Controlwave Micro Firmware | <= 2022-05-02 |
| Emerson | Controlwave Micro | - |
Related Weaknesses (CWE)
References
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-221-02MitigationThird Party AdvisoryUS Government Resource
- https://www.forescout.com/blog/Third Party Advisory
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-221-02MitigationThird Party AdvisoryUS Government Resource
- https://www.forescout.com/blog/Third Party Advisory
FAQ
What is CVE-2022-30262?
CVE-2022-30262 is a vulnerability with a CVSS score of 7.8 (HIGH). The Emerson ControlWave 'Next Generation' RTUs through 2022-05-02 mishandle firmware integrity. They utilize the BSAP-IP protocol to transmit firmware updates. Firmware updates are supplied as CAB arc...
How severe is CVE-2022-30262?
CVE-2022-30262 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-30262?
Check the references section above for vendor advisories and patch information. Affected products include: Emerson Controlwave Pac Firmware, Emerson Controlwave Pac, Emerson Controlwave Micro Firmware, Emerson Controlwave Micro.