Show plain JSON{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:honeywell:safety_manager_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "51819C44-DBCB-4FDB-8413-0268012EADF1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:honeywell:safety_manager:-:*:*:*:*:*:*:*", "matchCriteriaId": "6E6B8510-74F7-4B1F-A59A-0FC4261DFE90", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Honeywell Experion PKS Safety Manager (SM and FSC) through 2022-05-06 has Insufficient Verification of Data Authenticity. According to FSCT-2022-0053, there is a Honeywell Experion PKS Safety Manager insufficient logic security controls issue. The affected components are characterized as: Honeywell FSC runtime (FSC-CPU, QPP), Honeywell Safety Builder. The potential impact is: Remote Code Execution, Denial of Service. The Honeywell Experion PKS Safety Manager family of safety controllers utilize the unauthenticated Safety Builder protocol (FSCT-2022-0051) for engineering purposes, including downloading projects and control logic to the controller. Control logic is downloaded to the controller on a block-by-block basis. The logic that is downloaded consists of FLD code compiled to native machine code for the CPU module (which applies to both the Safety Manager and FSC families). Since this logic does not seem to be cryptographically authenticated, it allows an attacker capable of triggering a logic download to execute arbitrary machine code on the controller's CPU module in the context of the runtime. While the researchers could not verify this in detail, the researchers believe that the microprocessor underpinning the FSC and Safety Manager CPU modules is incapable of offering memory protection or privilege separation capabilities which would give an attacker full control of the CPU module. There is no authentication on control logic downloaded to the controller. Memory protection and privilege separation capabilities for the runtime are possibly lacking. The researchers confirmed the issues in question on Safety Manager R145.1 and R152.2 but suspect the issue affects all FSC and SM controllers and associated Safety Builder versions regardless of software or firmware revision. An attacker who can communicate with a Safety Manager controller via the Safety Builder protocol can execute arbitrary code without restrictions on the CPU module, allowing for covert manipulation of control operations and implanting capabilities similar to the TRITON malware (MITRE ATT&CK software ID S1009). A mitigating factor with regards to some, but not all, of the above functionality is that these require the Safety Manager physical keyswitch to be in the right position."}, {"lang": "es", "value": "Honeywell Experion PKS Safety Manager (SM y FSC) versiones hasta 06-05-2022, presenta una verificaci\u00f3n insuficiente de la autenticidad de los datos. De acuerdo con FSCT-2022-0053, se presenta un problema de controles de seguridad l\u00f3gicos insuficientes en Honeywell Experion PKS Safety Manager. Los componentes afectados son caracterizados como: Honeywell FSC runtime (FSC-CPU, QPP), Honeywell Safety Builder. El impacto potencial es: Ejecuci\u00f3n de c\u00f3digo remota , denegaci\u00f3n de servicio. La familia de controladores de seguridad Experion PKS de Honeywell usa el protocolo Safety Builder no autenticado (FSCT-2022-0051) para fines de ingenier\u00eda, incluyendo la descarga de proyectos y l\u00f3gica de control al controlador. La l\u00f3gica de control es descargada en el controlador bloque por bloque. La l\u00f3gica que es descargada consiste en c\u00f3digo FLD compilado a c\u00f3digo m\u00e1quina nativo para el m\u00f3dulo CPU (que es aplicado tanto a las familias Safety Manager como FSC). Como esta l\u00f3gica no parece estar autenticada criptogr\u00e1ficamente, permite a un atacante capaz de desencadenar una descarga de l\u00f3gica ejecutar c\u00f3digo m\u00e1quina arbitrario en el m\u00f3dulo CPU del controlador en el contexto del tiempo de ejecuci\u00f3n. Aunque los investigadores no han podido comprobarlo en detalle, creen que el microprocesador en el que son basados los m\u00f3dulos de la CPU del FSC y del Safety Manager es incapaz de ofrecer protecci\u00f3n de memoria o capacidades de separaci\u00f3n de privilegios, lo que dar\u00eda a un atacante el control total del m\u00f3dulo de la CPU. No se presenta autenticaci\u00f3n en la l\u00f3gica de control descargada en el controlador. Es posible que carezca de capacidades de protecci\u00f3n de memoria y separaci\u00f3n de privilegios para el tiempo de ejecuci\u00f3n. Los investigadores confirmaron los problemas en cuesti\u00f3n en Safety Manager versiones R145.1 y R152.2, pero sospechan que el problema afecta a todos los controladores FSC y SM y a las versiones de Safety Builder asociadas, independientemente de la revisi\u00f3n del software o del firmware. Un atacante que pueda comunicarse con un controlador Safety Manager por medio del protocolo Safety Builder puede ejecutar c\u00f3digo arbitrario sin restricciones en el m\u00f3dulo de la CPU, lo que permite manipular de forma encubierta las operaciones de control e implantar capacidades similares a las del malware TRITON (MITRE ATT&CK software ID S1009). Un factor atenuante con respecto a algunas, pero no todas, las funcionalidades anteriores es que \u00e9stas requieren que el interruptor de llave f\u00edsico del Safety Manager est\u00e9 en la posici\u00f3n correcta"}], "id": "CVE-2022-30315", "lastModified": "2024-11-21T07:02:33.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-28T16:15:11.063", "references": [{"source": "cve@mitre.org", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-207-02"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.forescout.com/blog/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-207-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.forescout.com/blog/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "nvd@nist.gov", "type": "Primary"}]}