CVE-2022-30274 — CRITICAL (9.8)

Vulnerability Description

The Motorola ACE1000 RTU through 2022-05-02 uses ECB encryption unsafely. It can communicate with an XRT LAN-to-radio gateway by means of an embedded client. Credentials for accessing this gateway are stored after being encrypted with the Tiny Encryption Algorithm (TEA) in ECB mode using a hardcoded key. Similarly, the ACE1000 RTU can route MDLC traffic over Extended Command and Management Protocol (XCMP) and Network Layer (XNL) networks via the MDLC driver. Authentication to the XNL port is protected by TEA in ECB mode using a hardcoded key.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Motorola	Ace1000 Firmware	-
Motorola	Ace1000	-

Related Weaknesses (CWE)

CWE-798

References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-06MitigationThird Party AdvisoryUS Government Resource
https://www.forescout.com/blog/Not Applicable
https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-06MitigationThird Party AdvisoryUS Government Resource
https://www.forescout.com/blog/Not Applicable

FAQ

What is CVE-2022-30274?

CVE-2022-30274 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Motorola ACE1000 RTU through 2022-05-02 uses ECB encryption unsafely. It can communicate with an XRT LAN-to-radio gateway by means of an embedded client. Credentials for accessing this gateway are...

How severe is CVE-2022-30274?

CVE-2022-30274 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-30274?

Check the references section above for vendor advisories and patch information. Affected products include: Motorola Ace1000 Firmware, Motorola Ace1000.