CVE-2022-30317 — CRITICAL (9.1)

Q: How severe is CVE-2022-30317?

CVE-2022-30317 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-30317?

Check the references section above for vendor advisories and patch information. Affected products include: Honeywell Experion Lx Firmware, Honeywell Experion Lx.

Vulnerability Description

Honeywell Experion LX through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0055, there is a Honeywell Experion LX Control Data Access (CDA) EpicMo protocol with unauthenticated functionality issue. The affected components are characterized as: Honeywell Control Data Access (CDA) EpicMo (55565/TCP). The potential impact is: Firmware manipulation, Denial of service. The Honeywell Experion LX Distributed Control System (DCS) utilizes the Control Data Access (CDA) EpicMo protocol (55565/TCP) for device diagnostics and maintenance purposes. This protocol does not have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality. There is no authentication functionality on the protocol in question. An attacker capable of invoking the protocols' functionalities could issue firmware download commands potentially allowing for firmware manipulation and reboot devices causing denial of service.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Honeywell	Experion Lx Firmware	< r520.1
Honeywell	Experion Lx	-

Related Weaknesses (CWE)

CWE-306

References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-242-07MitigationThird Party AdvisoryUS Government Resource
https://www.forescout.com/blog/Not Applicable
https://www.cisa.gov/uscert/ics/advisories/icsa-22-242-07MitigationThird Party AdvisoryUS Government Resource
https://www.forescout.com/blog/Not Applicable

FAQ

What is CVE-2022-30317?

CVE-2022-30317 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Honeywell Experion LX through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0055, there is a Honeywell Experion LX Control Data Access (CDA) EpicMo protocol wit...

How severe is CVE-2022-30317?

CVE-2022-30317 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-30317?

Check the references section above for vendor advisories and patch information. Affected products include: Honeywell Experion Lx Firmware, Honeywell Experion Lx.