Vulnerability Details : CVE-2022-29960
Emerson OpenBSI through 2022-04-29 uses weak cryptography. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. DES with hardcoded cryptographic keys is used for protection of certain system credentials, engineering files, and sensitive utilities.
Exploit prediction scoring system (EPSS) score for CVE-2022-29960
Probability of exploitation activity in the next 30 days: 0.05%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 14 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-29960
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2022-29960
-
The product uses a broken or risky cryptographic algorithm or protocol.Assigned by: nvd@nist.gov (Primary)
-
The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-29960
-
https://www.forescout.com/blog/
Blog - ForescoutThird Party Advisory
-
https://www.cisa.gov/uscert/ics/advisories/icsa-22-181-03
Emerson DeltaV Distributed Control System | CISANot Applicable;Third Party Advisory;US Government Resource
-
https://www.cisa.gov/uscert/ics/advisories/icsa-22-221-03
Emerson OpenBSI | CISAThird Party Advisory;US Government Resource
Products affected by CVE-2022-29960
- cpe:2.3:a:emerson:openbsi:*:*:*:*:*:*:*:*
- cpe:2.3:a:emerson:openbsi:5.9:sp1:*:*:*:*:*:*
- cpe:2.3:a:emerson:openbsi:5.9:sp2:*:*:*:*:*:*
- cpe:2.3:a:emerson:openbsi:5.9:sp3:*:*:*:*:*:*
- cpe:2.3:a:emerson:openbsi:5.9:-:*:*:*:*:*:*