CVE-2022-30315
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Honeywell Experion PKS Safety Manager (SM and FSC) through 2022-05-06 has Insufficient Verification of Data Authenticity. According to FSCT-2022-0053, there is a Honeywell Experion PKS Safety Manager insufficient logic security controls issue. The affected components are characterized as: Honeywell FSC runtime (FSC-CPU, QPP), Honeywell Safety Builder. The potential impact is: Remote Code Execution, Denial of Service. The Honeywell Experion PKS Safety Manager family of safety controllers utilize the unauthenticated Safety Builder protocol (FSCT-2022-0051) for engineering purposes, including downloading projects and control logic to the controller. Control logic is downloaded to the controller on a block-by-block basis. The logic that is downloaded consists of FLD code compiled to native machine code for the CPU module (which applies to both the Safety Manager and FSC families). Since this logic does not seem to be cryptographically authenticated, it allows an attacker capable of triggering a logic download to execute arbitrary machine code on the controller's CPU module in the context of the runtime. While the researchers could not verify this in detail, the researchers believe that the microprocessor underpinning the FSC and Safety Manager CPU modules is incapable of offering memory protection or privilege separation capabilities which would give an attacker full control of the CPU module. There is no authentication on control logic downloaded to the controller. Memory protection and privilege separation capabilities for the runtime are possibly lacking. The researchers confirmed the issues in question on Safety Manager R145.1 and R152.2 but suspect the issue affects all FSC and SM controllers and associated Safety Builder versions regardless of software or firmware revision. An attacker who can communicate with a Safety Manager controller via the Safety Builder protocol can execute arbitrary code without restrictions on the CPU module, allowing for covert manipulation of control operations and implanting capabilities similar to the TRITON malware (MITRE ATT&CK software ID S1009). A mitigating factor with regards to some, but not all, of the above functionality is that these require the Safety Manager physical keyswitch to be in the right position.
Honeywell Experion PKS Safety Manager (SM y FSC) versiones hasta 06-05-2022, presenta una verificación insuficiente de la autenticidad de los datos. De acuerdo con FSCT-2022-0053, se presenta un problema de controles de seguridad lógicos insuficientes en Honeywell Experion PKS Safety Manager. Los componentes afectados son caracterizados como: Honeywell FSC runtime (FSC-CPU, QPP), Honeywell Safety Builder. El impacto potencial es: Ejecución de código remota , denegación de servicio. La familia de controladores de seguridad Experion PKS de Honeywell usa el protocolo Safety Builder no autenticado (FSCT-2022-0051) para fines de ingeniería, incluyendo la descarga de proyectos y lógica de control al controlador. La lógica de control es descargada en el controlador bloque por bloque. La lógica que es descargada consiste en código FLD compilado a código máquina nativo para el módulo CPU (que es aplicado tanto a las familias Safety Manager como FSC). Como esta lógica no parece estar autenticada criptográficamente, permite a un atacante capaz de desencadenar una descarga de lógica ejecutar código máquina arbitrario en el módulo CPU del controlador en el contexto del tiempo de ejecución. Aunque los investigadores no han podido comprobarlo en detalle, creen que el microprocesador en el que son basados los módulos de la CPU del FSC y del Safety Manager es incapaz de ofrecer protección de memoria o capacidades de separación de privilegios, lo que daría a un atacante el control total del módulo de la CPU. No se presenta autenticación en la lógica de control descargada en el controlador. Es posible que carezca de capacidades de protección de memoria y separación de privilegios para el tiempo de ejecución. Los investigadores confirmaron los problemas en cuestión en Safety Manager versiones R145.1 y R152.2, pero sospechan que el problema afecta a todos los controladores FSC y SM y a las versiones de Safety Builder asociadas, independientemente de la revisión del software o del firmware. Un atacante que pueda comunicarse con un controlador Safety Manager por medio del protocolo Safety Builder puede ejecutar código arbitrario sin restricciones en el módulo de la CPU, lo que permite manipular de forma encubierta las operaciones de control e implantar capacidades similares a las del malware TRITON (MITRE ATT&CK software ID S1009). Un factor atenuante con respecto a algunas, pero no todas, las funcionalidades anteriores es que éstas requieren que el interruptor de llave físico del Safety Manager esté en la posición correcta
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-06 CVE Reserved
- 2022-07-28 CVE Published
- 2024-07-12 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-345: Insufficient Verification of Data Authenticity
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsa-22-207-02 | Mitigation | |
| https://www.forescout.com/blog | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Honeywell Search vendor "Honeywell" | Safety Manager Firmware Search vendor "Honeywell" for product "Safety Manager Firmware" | - | - |
Affected
| in | Honeywell Search vendor "Honeywell" | Safety Manager Search vendor "Honeywell" for product "Safety Manager" | - | - |
Safe
|