Vulnerability Details : CVE-2022-29952
Bently Nevada condition monitoring equipment through 2022-04-29 mishandles authentication. It utilizes the TDI command and data protocols (60005/TCP, 60007/TCP) for communications between the monitoring controller and System 1 and/or Bently Nevada Monitor Configuration (BNMC) software. These protocols provide configuration management and historical data related functionality. Neither protocol has any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality.
Products affected by CVE-2022-29952
- cpe:2.3:o:bakerhughes:bently_nevada_3701\/40_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bakerhughes:bently_nevada_3701\/44_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bakerhughes:bently_nevada_3701\/46_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:bakerhughes:bently_nevada_60m100_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-29952
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 26 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-29952
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
3.9
|
5.2
|
NIST |
CWE ids for CVE-2022-29952
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-29952
-
https://www.forescout.com/blog/
Blog - ForescoutThird Party Advisory
-
https://www.cisa.gov/uscert/ics/advisories/icsa-22-188-02
Bently Nevada ADAPT 3701/4X Series and 60M100 | CISAMitigation;Third Party Advisory;US Government Resource
Jump to