Daniel Dos Santos

**Name of the Vulnerable Software and Affected Versions** WAGO devices (affected versions not specified) **Description** The issue is related to insufficient input validation in the software of WAGO programmable logic controllers, which may allow an authenticated remote attacker with high privileges to cause a denial of service (DoS) by sending a malformed packet. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WAGO 750 versions (affected versions not specified) **Description** The issue is related to insufficient input validation in the software of WAGO 750 programmable logic controllers. It may allow a remote attacker to cause a denial of service using specially crafted packets. The problem can be exploited by an authenticated remote attacker with high privileges, targeting the CODESYS V2 runtime. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Festo products (affected versions not specified) **Description** The issue is related to insufficient technical documentation of Festo products' firmware, which could allow a remote unauthenticated attacker to exploit functions of an undocumented protocol. This could lead to a complete loss of confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Festo control block CPX-CEC-C1 and CPX-CMXX versions (affected versions not specified) **Description** The issue is related to the lack of authentication for a critical function in the web interface of the Festo control block CPX-CEC-C1 and CPX-CMXX. This allows unauthenticated, remote access to critical webpage functions, which may cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola ACE1000 RTU versions prior to 2022-05-02 **Description** The issue is related to the use of hardcoded credentials in the XRT LAN-to-radio gateway and XNL microcode software of the Motorola ACE1000 RTU. This allows a remote attacker to gain unauthorized access to protected information. The Motorola ACE1000 RTU uses ECB encryption unsafely, storing credentials encrypted with the Tiny Encryption Algorithm (TEA) in ECB mode using a hardcoded key. This affects communication with the XRT LAN-to-radio gateway and authentication to the XNL port. **Recommendations** For Motorola ACE1000 RTU versions prior to 2022-05-02, consider disabling the use of hardcoded credentials for the XRT LAN-to-radio gateway and XNL port until a patch is available. Restrict access to the XNL port to minimize the risk of exploitation. Avoid using the hardcoded key for TEA encryption in ECB mode until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola MDLC protocol through 2022-05-02 **Description** The issue is related to the Motorola MDLC protocol's handling of message integrity. It supports three security modes: Plain, Legacy Encryption, and New Encryption. In Legacy Encryption mode, traffic is encrypted via the Tiny Encryption Algorithm (TEA) block-cipher in ECB mode, which does not offer message integrity and provides reduced confidentiality above the block level. This is demonstrated by an ECB Penguin attack against any block ciphers. The vulnerability may allow a remote attacker to gain unauthorized access to protected information. **Recommendations** For the Motorola MDLC protocol through 2022-05-02, consider disabling the Legacy Encryption mode until a patch is available, as it uses the vulnerable Tiny Encryption Algorithm (TEA) block-cipher in ECB mode. Restrict access to the encrypted traffic to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Omron CS series, CJ series, and CP series PLCs versions prior to 2022-05-18 **Description** The issue is related to the storage of the password for access to the Web UI in memory area D1449...D1452, which can be read out using the Omron FINS protocol without any further authentication. This is due to weaknesses in the authentication procedure of the Omron FINS protocol implementation in the SYSMAC CP series programmable logic controllers. An attacker could exploit this to gain unauthorized access to protected information. **Recommendations** For Omron CS series, CJ series, and CP series PLCs versions prior to 2022-05-18, consider restricting access to the Omron FINS protocol to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the use of the Web UI and ensure that all access to the PLCs is properly authenticated and authorized. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola MOSCAD and ACE line of RTUs through 2022-05-02 **Description** The issue concerns the omission of an authentication requirement in the Motorola MOSCAD and ACE line of RTUs. These devices feature IP Gateway modules that allow for communication between Motorola Data Link Communication (MDLC) networks and TCP/IP networks using the proprietary IPGW protocol on port 5001/TCP. This protocol lacks authentication features, enabling any attacker who can communicate with the port to invoke desired functionality. **Recommendations** For Motorola MOSCAD and ACE line of RTUs through 2022-05-02, consider disabling the IPGW protocol on port 5001/TCP as a temporary workaround until a patch is available. Restrict access to the IP Gateway modules to minimize the risk of exploitation. Avoid using the IPGW protocol until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Omron CS series, CJ series, and CP series PLCs through 2022-05-18 **Description** The issue concerns the transmission of confidential information in cleartext, specifically passwords used for the UM Protection setting. This setting allows users or system integrators to configure a password to restrict sensitive engineering operations, such as project/logic uploads and downloads. The passwords are set using the OMRON FINS command `Program Area Protect` and unset using the command `Program Area Protect Clear`, both of which are transmitted in cleartext. This could allow a remote attacker to gain unauthorized access to protected information. **Recommendations** For Omron CS series, CJ series, and CP series PLCs through 2022-05-18, consider disabling the UM Protection setting until a secure method of password transmission is implemented. Restrict access to the `Program Area Protect` and `Program Area Protect Clear` commands to minimize the risk of exploitation. Avoid using cleartext passwords for sensitive engineering operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Omron SYSMAC Nx product family PLCs (NJ series, NY series, NX series, and PMAC series) through 2022-005-18 **Description** The issue is related to the lack of cryptographic authentication in the Omron SYSMAC Nx product family PLCs. This allows an attacker to manipulate transmitted object code to the PLC and execute arbitrary machine code on the processor of the PLC's CPU module in the context of the runtime. The PLCs are programmed using the SYMAC Studio engineering software, which compiles IEC 61131-3 conformant POU code to native machine code for execution by the PLC's runtime. In some cases, an RTOS and hardware combination is used that could potentially allow for memory protection and privilege separation, limiting the impact of code execution. **Recommendations** For Omron SYSMAC Nx product family PLCs (NJ series, NY series, NX series, and PMAC series) through 2022-005-18, consider implementing additional security measures to authenticate and verify the integrity of the code downloaded to the PLC, such as cryptographic authentication, to prevent manipulation of transmitted object code. As a temporary workaround, restrict access to the PLC's runtime environment to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Honeywell Experion LX through 2022-05-06 **Description** The issue concerns a missing authentication feature in the Honeywell Experion LX Control Data Access (CDA) EpicMo protocol, which is used for device diagnostics and maintenance purposes. This protocol, characterized as Honeywell Control Data Access (CDA) EpicMo (55565/TCP), lacks authentication functionality, allowing any attacker capable of communicating with the ports in question to invoke desired functionality. The potential impact includes firmware manipulation and denial of service, as an attacker could issue firmware download commands or reboot devices. **Recommendations** For Honeywell Experion LX through 2022-05-06, consider disabling the EpicMo protocol (55565/TCP) until a patch or fix is available to mitigate the risk of firmware manipulation and denial of service. Restrict access to the Control Data Access (CDA) EpicMo protocol to minimize the risk of exploitation. Avoid using the protocol for device diagnostics and maintenance purposes until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Honeywell Experion PKS Safety Manager version 5.02 **Description** The issue is related to insufficient verification of data authenticity, allowing for potential firmware manipulation. The affected component is the firmware update functionality. An attacker with access to the serial interface can utilize hardcoded credentials for the POLO bootloader to control the boot process and push malicious firmware images, enabling firmware manipulation, remote code execution, and denial of service impacts. The vulnerability can be exploited by an attacker with access to the serial interface, either through physical access, a compromised engineering workstation, or an exposed serial-to-ethernet gateway. A mitigating factor is that a reboot of the Safety Manager is required to initiate a firmware update, which is typically done through physical controls on the device. **Recommendations** For Honeywell Experion PKS Safety Manager version 5.02, consider disabling the firmware update functionality until a patch is available. Restrict access to the serial interface and the POLO bootloader to minimize the risk of exploitation. Avoid using hardcoded credentials for the POLO bootloader. As a temporary workaround, consider implementing additional security measures to prevent unauthorized access to the serial interface and the engineering workstation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Saia Burgess Controls (SBC) PCD through 2022-05-06 **Description** The issue is related to the use of an insecure algorithm for hashing passwords in the S-Bus protocol implementation of the Saia Burgess Controls (SBC) PCD controllers. This allows an attacker to bypass authentication by intercepting hashed credentials and finding collisions, thus gaining access to sensitive engineering functionality such as uploading or downloading control logic and manipulating controller configuration. The affected component is the S-Bus (5050/UDP) authentication. **Recommendations** For Saia Burgess Controls (SBC) PCD through 2022-05-06, consider disabling the S-Bus protocol or restricting access to sensitive engineering functionality until a secure hashing algorithm is implemented. As a temporary workaround, avoid using the `write byte` message to supply hashed versions of passwords. Restrict access to the S-Bus authentication component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Saia Burgess Controls (SBC) PCD through 2022-05-06 **Description** The issue concerns an authentication bypass in the S-Bus protocol used by Saia Burgess Controls (SBC) PCD controllers. The S-Bus protocol, which operates on UDP port 5050, is utilized for various engineering purposes and allows for password configuration to restrict access to sensitive functionality. However, the authentication mechanism, based on a MAC/IP whitelist with an inactivity timeout, can be bypassed by spoofing UDP traffic. An attacker capable of observing traffic can exploit this by sending arbitrary messages using the MAC/IP of an authenticated client, thereby gaining access to sensitive engineering functions such as uploading or downloading control logic and manipulating controller configurations. **Recommendations** For Saia Burgess Controls (SBC) PCD through 2022-05-06, consider restricting access to the S-Bus protocol (5050/UDP) to minimize the risk of exploitation until a patch is available. As a temporary workaround, restrict the use of the `S-Bus` protocol to only necessary engineering purposes. Additionally, monitor network traffic for signs of spoofing attempts and implement additional security measures to prevent unauthorized access to the controllers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola ACE1000 RTU through 2022-05-02 **Description** The issue concerns the use of default credentials for five preconfigured SSH accounts, including `root`, `abuilder`, `acelogin`, `cappl`, and `ace`. These accounts are used to control access to the SSH interface on port 22/TCP, which is utilized for remote maintenance and SFTP file-transfer operations. Although the documentation for the ACE1000 mentions the `root`, `abuilder`, and `acelogin` accounts and advises users to change the default credentials, the `cappl` and `ace` accounts remain undocumented, making it unlikely that their credentials will be changed. This could allow a remote attacker to gain unauthorized access to protected information. **Recommendations** For Motorola ACE1000 RTU through 2022-05-02, consider changing the default credentials for all five preconfigured SSH accounts, including `root`, `abuilder`, `acelogin`, `cappl`, and `ace`, to prevent unauthorized access. As a temporary workaround, restrict access to the SSH interface on port 22/TCP to minimize the risk of exploitation. Additionally, review the ACE1000 documentation and ensure that all users are aware of the need to change the default credentials for all accounts, including the undocumented `cappl` and `ace` accounts.

**Name of the Vulnerable Software and Affected Versions** Motorola MOSCAD Toolbox software through 2022-05-02 **Description** The issue concerns the use of a cleartext password in the Motorola MOSCAD Toolbox software. This password is stored in the wmdlcdrv.ini driver configuration file and is used for access control to MOSCAD/STS projects protected with the Legacy Password feature. An insecure CRC of the password is present in the project file and is validated against the password in the driver configuration file. The software utilizes an MDLC driver to communicate with MOSCAD/ACE RTUs for engineering purposes. **Recommendations** For Motorola MOSCAD Toolbox software through 2022-05-02, consider disabling the use of the Legacy Password feature until a secure alternative is implemented. Restrict access to the wmdlcdrv.ini driver configuration file to minimize the risk of exploitation. Avoid using the cleartext password stored in this file for access control to MOSCAD/STS projects. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola ACE1000 RTU through 2022-05-02 **Description** The issue is related to the use of hardcoded SSH credentials. This could allow a remote attacker to gain unauthorized access to protected information. The hardcoded SSH private key is likely to be used by default due to the initialization scripts, such as /etc/init.d/sshd service, only generating a new key if no private-key file exists. **Recommendations** For Motorola ACE1000 RTU through 2022-05-02, consider regenerating the SSH private key to prevent the use of the hardcoded key. As a temporary workaround, restrict access to the SSH service until a more permanent solution can be applied.

**Name of the Vulnerable Software and Affected Versions** Motorola ACE1000 RTUs through 2022-05-02 **Description** The issue is related to the mishandling of application integrity in Motorola ACE1000 RTUs. These devices allow for custom application installation via the STS software, the C toolkit, or the ACE1000 Easy Configurator. Application images are uploaded via the Web UI in the case of the Easy Configurator, or transferred and installed using SFTP/SSH in the case of the C toolkit. The application images lack authentication, such as firmware signing, and rely only on insecure checksums for integrity checks. This can be exploited by a remote attacker to execute arbitrary code. **Recommendations** For Motorola ACE1000 RTUs through 2022-05-02, consider disabling the custom application installation feature via the STS software, the C toolkit, or the ACE1000 Easy Configurator until a patch is available. Restrict access to the Web UI and SFTP/SSH to minimize the risk of exploitation. Avoid using insecure checksums for integrity checks and implement a secure authentication mechanism, such as firmware signing, to ensure the integrity of application images. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JTEKT TOYOPUC PLCs versions prior to 2022-04-29 **Description** The issue is related to insufficient data authentication in the programmable logic controllers. This allows a remote attacker to execute arbitrary code. The controllers use the unauthenticated CMPLink/TCP protocol for engineering purposes, including downloading projects and control logic. The control logic downloaded to the PLC is not cryptographically authenticated, enabling an attacker to execute arbitrary machine code on the PLC's CPU module. In the case of the PC10G-CPU, and likely for other CPU modules of the TOYOPUC family, the processor lacks memory protection or privilege-separation capabilities, giving an attacker full control over the CPU. **Recommendations** For JTEKT TOYOPUC PLCs versions prior to 2022-04-29, consider disabling the CMPLink/TCP protocol until a patch is available to prevent exploitation. Restrict access to the control logic download functionality to minimize the risk of arbitrary code execution. As a temporary workaround, limit the use of the PLC's CPU module to essential operations only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Honeywell ControlEdge versions through R151.1 **Description** The issue is related to the use of hard-coded credentials in the Honeywell ControlEdge programmable logic controllers. This could allow a remote attacker to gain elevated privileges. The affected components are characterized as SSH, and the potential impact includes remote code execution, configuration manipulation, and denial of service. The Honeywell ControlEdge PLC and RTU product line exposes an SSH service on port 22/TCP, where login as root is permitted with hardcoded credentials for the root user that do not automatically change upon first commissioning. These hardcoded credentials grant an attacker access to a root shell on the PLC/RTU. **Recommendations** For Honeywell ControlEdge versions through R151.1, consider disabling the SSH service on port 22/TCP until a patch is available to prevent remote code execution, configuration manipulation, and denial of service. Restrict access to the root user to minimize the risk of exploitation. Avoid using the hardcoded credentials for the SSH service until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.