1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Emerson
- Equipment: Ovation
- Vulnerabilities: Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity
CISA is aware of a public report, known as “OT:ICEFALL”, detailing vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow remote code execution, loss of sensitive information, denial-of-service, or allow an attacker to modify the controller configuration.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Emerson products are affected:
- Ovation: Version 3.8.0 Feature Pack 1 and prior
3.2 Vulnerability Overview
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The affected product has several protocols that have no authentication, which could allow an attacker to change controller configuration or cause a denial-of-service condition.
CVE-2022-29966 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-29966. A base score of 9.3 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories