Jos Wetzels

**Name of the Vulnerable Software and Affected Versions** CODESYS Development System V3 versions prior to V3.5.18.40 **Description** The issue is related to inadequate encryption strength, allowing an unauthenticated local attacker to access and manipulate the code of the encrypted boot application. It is also associated with the use of defective cryptographic algorithms, which can be exploited by a remote attacker to decrypt and modify the uploaded code by guessing session keys. **Recommendations** For CODESYS Development System V3 versions prior to V3.5.18.40, update to version V3.5.18.40 or later to resolve the issue. As a temporary workaround, consider restricting access to the encrypted boot application until a patch is available. Additionally, avoid using the defective cryptographic algorithms in the development environment to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Motorola MDLC protocol through 2022-05-02 **Description** The issue is related to the Motorola MDLC protocol's handling of message integrity. It supports three security modes: Plain, Legacy Encryption, and New Encryption. In Legacy Encryption mode, traffic is encrypted via the Tiny Encryption Algorithm (TEA) block-cipher in ECB mode, which does not offer message integrity and provides reduced confidentiality above the block level. This is demonstrated by an ECB Penguin attack against any block ciphers. The vulnerability may allow a remote attacker to gain unauthorized access to protected information. **Recommendations** For the Motorola MDLC protocol through 2022-05-02, consider disabling the Legacy Encryption mode until a patch is available, as it uses the vulnerable Tiny Encryption Algorithm (TEA) block-cipher in ECB mode. Restrict access to the encrypted traffic to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 **Description** The issue concerns the misuse of passwords in the Emerson DeltaV Distributed Control System. Access to privileged operations on the maintenance port TELNET interface on M-series and SIS nodes is controlled by utility passwords generated using a deterministic, insecure algorithm. This algorithm uses a single seed value with less than 16 bits of entropy, making it easy for an attacker to reconstruct the passwords and gain access to privileged maintenance operations. The vulnerability is related to the use of defective cryptographic algorithms, which can allow a remote attacker to access the system's interface. **Recommendations** For Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29, consider disabling the TELNET interface on the maintenance port as a temporary workaround to minimize the risk of exploitation. Restrict access to the maintenance port to prevent unauthorized access until a secure password generation algorithm is implemented.

**Name of the Vulnerable Software and Affected Versions** Emerson ControlWave 'Next Generation' RTUs through 2022-05-02 **Description** The issue is related to insufficient authentication of data, which can allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The Emerson ControlWave 'Next Generation' RTUs mishandle firmware integrity, utilizing the BSAP-IP protocol to transmit firmware updates. These updates are supplied as CAB archive files containing a binary firmware image, but they lack authentication, such as firmware signing, and rely only on insecure checksums for integrity checks. **Recommendations** For Emerson ControlWave 'Next Generation' RTUs through 2022-05-02, consider disabling the use of the BSAP-IP protocol for firmware updates until a secure authentication mechanism is implemented. Restrict access to firmware updates to minimize the risk of exploitation. Avoid using insecure checksums for integrity checks; instead, implement a secure firmware signing mechanism to ensure the authenticity and integrity of firmware images. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Emerson ROC and FloBoss RTU product lines through 2022-05-02 **Description** The issue is related to insecure filesystem operations in the Emerson ROC and FloBoss RTU product lines. These products use the ROC protocol for communications between a master terminal and RTUs, specifically via ports 4000/TCP and 5000/TCP. The protocol's Opcode 203 allows a master terminal to perform arbitrary file and directory read, write, and delete operations on the flash filesystem. This could potentially allow a remote attacker to execute arbitrary code due to insecure privilege management. **Recommendations** For Emerson ROC and FloBoss RTU product lines through 2022-05-02, consider disabling the use of Opcode 203 in the ROC protocol until a secure update is available. Restrict access to the flash filesystem to minimize the risk of exploitation. Avoid using the ROC protocol for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Honeywell Experion PKS Safety Manager versions prior to 2022-05-06 **Description** The issue is related to the lack of authentication in the proprietary protocols used by the Honeywell Experion PKS Distributed Control System (DCS) Safety Manager, including Experion TCP (51000/TCP) and Safety Builder (51010/TCP). This allows an attacker to invoke desired functionality without authentication, potentially leading to adverse impacts such as manipulating controller state, configuration, logic, files, and IO. An attacker could issue IO manipulation commands, file read/write commands, controller start/stop commands, logic download/upload commands, file read commands, and system time change commands. A mitigating factor is that some of these functionalities require the Safety Manager physical keyswitch to be in the right position. **Recommendations** For Honeywell Experion PKS Safety Manager versions prior to 2022-05-06, consider disabling the Experion TCP and Safety Builder protocols until a patch is available. Restrict access to the affected ports (51000/TCP and 51010/TCP) to minimize the risk of exploitation. As a temporary workaround, ensure the Safety Manager physical keyswitch is not in the position that allows invocation of critical functionalities.

**Name of the Vulnerable Software and Affected Versions** Honeywell Experion PKS Safety Manager version 5.02 **Description** The issue is related to the use of hard-coded credentials in the Honeywell Experion PKS Safety Manager. The affected component is the POLO bootloader. An attacker with access to the serial interface can utilize these credentials to control the boot process and manipulate the unauthenticated firmware image. The potential impact is the ability to manipulate firmware. The Honeywell Experion PKS Safety Manager utilizes the DCOM-232/485 serial interface for firmware management purposes, and when booting, it exposes the Enea POLO bootloader via this interface. Access to the boot configuration is controlled by means of credentials hardcoded in the Safety Manager firmware. **Recommendations** For Honeywell Experion PKS Safety Manager version 5.02, consider restricting access to the serial interface to minimize the risk of exploitation. As a temporary workaround, limit physical access to the device and ensure that any connected systems, such as EWS or serial-to-ethernet gateways, are secure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Honeywell programmiруемых логических контроллеров versions prior to the fixed version Trend Controls IC protocol versions prior to 2022-05-06 **Description** The issue is related to the transmission of sensitive information, including PIN codes, usernames, and passwords, in cleartext. This allows an attacker with passive interception capabilities to obtain these credentials. The affected protocol is used for information exchange and automation purposes in building automation controllers. An attacker who obtains the credentials can carry out sensitive engineering actions, such as manipulating controller strategy or configuration settings. If the compromised credentials are reused for other applications, it could facilitate lateral movement. **Recommendations** For Honeywell programmiруемых логических контроллеров, update to a version that fixes the cleartext transmission issue. For Trend Controls IC protocol, update to a version released after 2022-05-06 to address the cleartext transmission of credentials. As a temporary workaround, consider restricting access to the Inter-Controller (IC) protocol to minimize the risk of exploitation. Avoid using the `username` and `password` parameters in the affected API endpoint until the issue is resolved. Restrict access to the `Inter-Controller (IC) protocol` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Honeywell Experion PKS Safety Manager versions through 2022-05-06 **Description** The issue is related to insufficient verification of data authenticity in the Safety Builder protocol used by Honeywell Experion PKS Safety Manager controllers. This allows an attacker to execute arbitrary machine code on the controller's CPU module, potentially leading to remote code execution and denial of service. The affected components include Honeywell FSC runtime and Honeywell Safety Builder. An attacker who can communicate with a Safety Manager controller via the Safety Builder protocol can execute arbitrary code without restrictions, allowing for covert manipulation of control operations. A mitigating factor is that some functionality requires the Safety Manager physical keyswitch to be in the right position. **Recommendations** For Honeywell Experion PKS Safety Manager versions through 2022-05-06, consider disabling the Safety Builder protocol until a patch is available to prevent arbitrary code execution. Restrict access to the controller's CPU module to minimize the risk of exploitation. Avoid using the Safety Builder protocol for engineering purposes until the issue is resolved. As a temporary workaround, ensure the Safety Manager physical keyswitch is in the correct position to mitigate some of the functionality. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Honeywell Experion LX through 2022-05-06 **Description** The issue concerns a missing authentication feature in the Honeywell Experion LX Control Data Access (CDA) EpicMo protocol, which is used for device diagnostics and maintenance purposes. This protocol, characterized as Honeywell Control Data Access (CDA) EpicMo (55565/TCP), lacks authentication functionality, allowing any attacker capable of communicating with the ports in question to invoke desired functionality. The potential impact includes firmware manipulation and denial of service, as an attacker could issue firmware download commands or reboot devices. **Recommendations** For Honeywell Experion LX through 2022-05-06, consider disabling the EpicMo protocol (55565/TCP) until a patch or fix is available to mitigate the risk of firmware manipulation and denial of service. Restrict access to the Control Data Access (CDA) EpicMo protocol to minimize the risk of exploitation. Avoid using the protocol for device diagnostics and maintenance purposes until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Honeywell Experion PKS Safety Manager version 5.02 **Description** The issue is related to insufficient verification of data authenticity, allowing for potential firmware manipulation. The affected component is the firmware update functionality. An attacker with access to the serial interface can utilize hardcoded credentials for the POLO bootloader to control the boot process and push malicious firmware images, enabling firmware manipulation, remote code execution, and denial of service impacts. The vulnerability can be exploited by an attacker with access to the serial interface, either through physical access, a compromised engineering workstation, or an exposed serial-to-ethernet gateway. A mitigating factor is that a reboot of the Safety Manager is required to initiate a firmware update, which is typically done through physical controls on the device. **Recommendations** For Honeywell Experion PKS Safety Manager version 5.02, consider disabling the firmware update functionality until a patch is available. Restrict access to the serial interface and the POLO bootloader to minimize the risk of exploitation. Avoid using hardcoded credentials for the POLO bootloader. As a temporary workaround, consider implementing additional security measures to prevent unauthorized access to the serial interface and the engineering workstation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Saia Burgess Controls (SBC) PCD through 2022-05-06 **Description** The issue is related to the use of an insecure algorithm for hashing passwords in the S-Bus protocol implementation of the Saia Burgess Controls (SBC) PCD controllers. This allows an attacker to bypass authentication by intercepting hashed credentials and finding collisions, thus gaining access to sensitive engineering functionality such as uploading or downloading control logic and manipulating controller configuration. The affected component is the S-Bus (5050/UDP) authentication. **Recommendations** For Saia Burgess Controls (SBC) PCD through 2022-05-06, consider disabling the S-Bus protocol or restricting access to sensitive engineering functionality until a secure hashing algorithm is implemented. As a temporary workaround, avoid using the `write byte` message to supply hashed versions of passwords. Restrict access to the S-Bus authentication component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Saia Burgess Controls (SBC) PCD through 2022-05-06 **Description** The issue concerns an authentication bypass in the S-Bus protocol used by Saia Burgess Controls (SBC) PCD controllers. The S-Bus protocol, which operates on UDP port 5050, is utilized for various engineering purposes and allows for password configuration to restrict access to sensitive functionality. However, the authentication mechanism, based on a MAC/IP whitelist with an inactivity timeout, can be bypassed by spoofing UDP traffic. An attacker capable of observing traffic can exploit this by sending arbitrary messages using the MAC/IP of an authenticated client, thereby gaining access to sensitive engineering functions such as uploading or downloading control logic and manipulating controller configurations. **Recommendations** For Saia Burgess Controls (SBC) PCD through 2022-05-06, consider restricting access to the S-Bus protocol (5050/UDP) to minimize the risk of exploitation until a patch is available. As a temporary workaround, restrict the use of the `S-Bus` protocol to only necessary engineering purposes. Additionally, monitor network traffic for signs of spoofing attempts and implement additional security measures to prevent unauthorized access to the controllers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Honeywell ControlEdge versions through R151.1 **Description** The issue is related to the use of hard-coded credentials in the Honeywell ControlEdge programmable logic controllers. This could allow a remote attacker to gain elevated privileges. The affected components are characterized as SSH, and the potential impact includes remote code execution, configuration manipulation, and denial of service. The Honeywell ControlEdge PLC and RTU product line exposes an SSH service on port 22/TCP, where login as root is permitted with hardcoded credentials for the root user that do not automatically change upon first commissioning. These hardcoded credentials grant an attacker access to a root shell on the PLC/RTU. **Recommendations** For Honeywell ControlEdge versions through R151.1, consider disabling the SSH service on port 22/TCP until a patch is available to prevent remote code execution, configuration manipulation, and denial of service. Restrict access to the root user to minimize the risk of exploitation. Avoid using the hardcoded credentials for the SSH service until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola ACE1000 RTU through 2022-05-02 **Description** The issue is related to the use of hardcoded SSH credentials. This could allow a remote attacker to gain unauthorized access to protected information. The hardcoded SSH private key is likely to be used by default due to the initialization scripts, such as /etc/init.d/sshd service, only generating a new key if no private-key file exists. **Recommendations** For Motorola ACE1000 RTU through 2022-05-02, consider regenerating the SSH private key to prevent the use of the hardcoded key. As a temporary workaround, restrict access to the SSH service until a more permanent solution can be applied.

**Name of the Vulnerable Software and Affected Versions** Motorola ACE1000 RTU through 2022-05-02 **Description** The issue concerns the use of default credentials for five preconfigured SSH accounts, including `root`, `abuilder`, `acelogin`, `cappl`, and `ace`. These accounts are used to control access to the SSH interface on port 22/TCP, which is utilized for remote maintenance and SFTP file-transfer operations. Although the documentation for the ACE1000 mentions the `root`, `abuilder`, and `acelogin` accounts and advises users to change the default credentials, the `cappl` and `ace` accounts remain undocumented, making it unlikely that their credentials will be changed. This could allow a remote attacker to gain unauthorized access to protected information. **Recommendations** For Motorola ACE1000 RTU through 2022-05-02, consider changing the default credentials for all five preconfigured SSH accounts, including `root`, `abuilder`, `acelogin`, `cappl`, and `ace`, to prevent unauthorized access. As a temporary workaround, restrict access to the SSH interface on port 22/TCP to minimize the risk of exploitation. Additionally, review the ACE1000 documentation and ensure that all users are aware of the need to change the default credentials for all accounts, including the undocumented `cappl` and `ace` accounts.

**Name of the Vulnerable Software and Affected Versions** Motorola ACE1000 RTUs through 2022-05-02 **Description** The issue is related to the mishandling of application integrity in Motorola ACE1000 RTUs. These devices allow for custom application installation via the STS software, the C toolkit, or the ACE1000 Easy Configurator. Application images are uploaded via the Web UI in the case of the Easy Configurator, or transferred and installed using SFTP/SSH in the case of the C toolkit. The application images lack authentication, such as firmware signing, and rely only on insecure checksums for integrity checks. This can be exploited by a remote attacker to execute arbitrary code. **Recommendations** For Motorola ACE1000 RTUs through 2022-05-02, consider disabling the custom application installation feature via the STS software, the C toolkit, or the ACE1000 Easy Configurator until a patch is available. Restrict access to the Web UI and SFTP/SSH to minimize the risk of exploitation. Avoid using insecure checksums for integrity checks and implement a secure authentication mechanism, such as firmware signing, to ensure the integrity of application images. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JTEKT TOYOPUC PLCs versions prior to 2022-04-29 **Description** The issue is related to insufficient data authentication in the programmable logic controllers. This allows a remote attacker to execute arbitrary code. The controllers use the unauthenticated CMPLink/TCP protocol for engineering purposes, including downloading projects and control logic. The control logic downloaded to the PLC is not cryptographically authenticated, enabling an attacker to execute arbitrary machine code on the PLC's CPU module. In the case of the PC10G-CPU, and likely for other CPU modules of the TOYOPUC family, the processor lacks memory protection or privilege-separation capabilities, giving an attacker full control over the CPU. **Recommendations** For JTEKT TOYOPUC PLCs versions prior to 2022-04-29, consider disabling the CMPLink/TCP protocol until a patch is available to prevent exploitation. Restrict access to the control logic download functionality to minimize the risk of arbitrary code execution. As a temporary workaround, limit the use of the PLC's CPU module to essential operations only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JTEKT TOYOPUC PLCs through 2022-04-29 **Description** The issue is related to the mishandling of authentication in JTEKT TOYOPUC PLCs. They utilize the CMPLink/TCP protocol, which is configurable on ports 1024-65534 on either TCP or UDP, for various engineering purposes such as starting and stopping the PLC, downloading and uploading projects, and changing configuration settings. This protocol lacks authentication features, allowing any attacker capable of communicating with the port in question to invoke desired functionality. The vulnerability is associated with insufficient authentication data verification, which can be exploited by a remote attacker to execute arbitrary code. **Recommendations** For JTEKT TOYOPUC PLCs through 2022-04-29, consider disabling the CMPLink/TCP protocol until a patch is available to prevent exploitation. Restrict access to the configurable ports 1024-65534 on either TCP or UDP to minimize the risk of unauthorized access. As a temporary workaround, limit the functionality that can be invoked through the CMPLink/TCP protocol to reduce the potential impact of the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola MOSCAD and ACE line of RTUs through 2022-05-02 **Description** The issue concerns the omission of an authentication requirement in the Motorola MOSCAD and ACE line of RTUs. These devices feature IP Gateway modules that allow for communication between Motorola Data Link Communication (MDLC) networks and TCP/IP networks using the proprietary IPGW protocol on port 5001/TCP. This protocol lacks authentication features, enabling any attacker who can communicate with the port to invoke desired functionality. **Recommendations** For Motorola MOSCAD and ACE line of RTUs through 2022-05-02, consider disabling the IPGW protocol on port 5001/TCP as a temporary workaround until a patch is available. Restrict access to the IP Gateway modules to minimize the risk of exploitation. Avoid using the IPGW protocol until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.