Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-29965

The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. Access to privileged operations on the maintenance port TELNET interface (23/TCP) on M-series and SIS (CSLS/LSNB/LSNG) nodes is controlled by means of utility passwords. These passwords are generated using a deterministic, insecure algorithm using a single seed value composed of a day/hour/minute timestamp with less than 16 bits of entropy. The seed value is fed through a lookup table and a series of permutation operations resulting in three different four-character passwords corresponding to different privilege levels. An attacker can easily reconstruct these passwords and thus gain access to privileged maintenance operations. NOTE: this is different from CVE-2014-2350.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 5.5, requiring local system access to exploit with relatively low complexity without requiring user interaction requiring only low-level privileges . The vulnerability impacts confidentiality (data exposure), for affected systems. Impacting 49 products from emerson, from emerson, from emerson and 46 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2022, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2022-07-26T22:15:11.183

Last Modified

2024-11-21T07:00:04.757

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.5 (MEDIUM)

Weaknesses

Type: Primary
CWE-327

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	emerson	deltav_distributed_control_system	≤ 2022-04-29	Yes
Operating System	emerson	deltav_distributed_control_system_sq_controller_firmware	≤ 2022-04-29	Yes
Hardware	emerson	deltav_distributed_control_system_sq_controller	-	No
Operating System	emerson	deltav_distributed_control_system_sx_controller_firmware	≤ 2022-04-29	Yes
Hardware	emerson	deltav_distributed_control_system_sx_controller	-	No
Operating System	emerson	se4002s1t2b6_high_side_40-pin_mass_i\/o_terminal_block_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4002s1t2b6_high_side_40-pin_mass_i\/o_terminal_block	-	No
Operating System	emerson	se4003s2b4_16-pin_mass_i\/o_terminal_block_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4003s2b4_16-pin_mass_i\/o_terminal_block	-	No
Operating System	emerson	se4003s2b524-pin_mass_i\/o_terminal_block_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4003s2b524-pin_mass_i\/o_terminal_block	-	No
Operating System	emerson	se4017p0_h1_i\/o_interface_card_and_terminl_block_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4017p0_h1_i\/o_interface_card_and_terminl_block	-	No
Operating System	emerson	se4017p1_h1_i\/o_card_with_integrated_power_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4017p1_h1_i\/o_card_with_integrated_power	-	No
Operating System	emerson	se4019p0_simplex_h1_4-port_plus_fieldbus_i\/o_interface_with_terminalblock_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4019p0_simplex_h1_4-port_plus_fieldbus_i\/o_interface_with_terminalblock	-	No
Operating System	emerson	se4026_virtual_i\/o_module_2_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4026_virtual_i\/o_module_2	-	No
Operating System	emerson	se4027_virtual_i\/o_module_2_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4027_virtual_i\/o_module_2	-	No
Operating System	emerson	se4032s1t2b8_high_side_40-pin_do_mass_i\/o_terminal_block_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4032s1t2b8_high_side_40-pin_do_mass_i\/o_terminal_block	-	No
Operating System	emerson	se4037p0_h1_i\/o_interface_card_and_terminl_block_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4037p0_h1_i\/o_interface_card_and_terminl_block	-	No
Operating System	emerson	se4037p1_redundant_h1_i\/o_card_with_integrated_power_and_terminal_block_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4037p1_redundant_h1_i\/o_card_with_integrated_power_and_terminal_block	-	No
Operating System	emerson	se4039p0_redundant_h1_4-port_plus_fieldbus_i\/o_interface_with_terminalblock_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4039p0_redundant_h1_4-port_plus_fieldbus_i\/o_interface_with_terminalblock	-	No
Operating System	emerson	se4052s1t2b6_high_side_40-pin_mass_i\/o_terminal_block_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4052s1t2b6_high_side_40-pin_mass_i\/o_terminal_block	-	No
Operating System	emerson	se4082s1t2b8_high_side_40-pin_do_mass_i\/o_terminal_block_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4082s1t2b8_high_side_40-pin_do_mass_i\/o_terminal_block	-	No
Operating System	emerson	se4100_simplex_ethernet_i\/o_card_\(eioc\)_assembly_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4100_simplex_ethernet_i\/o_card_\(eioc\)_assembly	-	No
Operating System	emerson	se4101_simplex_ethernet_i\/o_card_\(eioc\)_assembly_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4101_simplex_ethernet_i\/o_card_\(eioc\)_assembly	-	No
Operating System	emerson	se4801t0x_redundant_wireless_i\/o_card_firmware	≤ 2022-04-29	Yes
Hardware	emerson	se4801t0x_redundant_wireless_i\/o_card	-	No
Operating System	emerson	ve4103_modbus_tcp_interface_for_ethernet_connected_i\/o_\(eioc\)_firmware	≤ 2022-04-29	Yes
Hardware	emerson	ve4103_modbus_tcp_interface_for_ethernet_connected_i\/o_\(eioc\)	-	No
Operating System	emerson	ve4104_ethernet\/ip_control_tag_integration_for_ethernet_connected_i\/o_\(eioc\)_firmware	≤ 2022-04-29	Yes
Hardware	emerson	ve4104_ethernet\/ip_control_tag_integration_for_ethernet_connected_i\/o_\(eioc\)	-	No
Operating System	emerson	ve4105_ethernet\/ip_interface_for_ethernet_connected_i\/o_\(eioc\)_firmware	≤ 2022-04-29	Yes
Hardware	emerson	ve4105_ethernet\/ip_interface_for_ethernet_connected_i\/o_\(eioc\)	-	No
Operating System	emerson	ve4106_opc-ua_client_for_ethernet_connected_i\/o_\(eioc\)_firmware	≤ 2022-04-29	Yes
Hardware	emerson	ve4106_opc-ua_client_for_ethernet_connected_i\/o_\(eioc\)	-	No
Operating System	emerson	ve4107_iec_61850_mms_interface_for_ethernet_connected_i\/o_\(eioc\)_firmware	≤ 2022-04-29	Yes
Hardware	emerson	ve4107_iec_61850_mms_interface_for_ethernet_connected_i\/o_\(eioc\)	-	No

References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-181-03 Third Party Advisory, US Government Resource ([email protected])
https://www.forescout.com/blog/ Third Party Advisory ([email protected])
https://www.cisa.gov/uscert/ics/advisories/icsa-22-181-03 Third Party Advisory, US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
https://www.forescout.com/blog/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For emerson's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.