CVE-2022-29965

Name of the Vulnerable Software and Affected Versions Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29

Description The issue concerns the misuse of passwords in the Emerson DeltaV Distributed Control System. Access to privileged operations on the maintenance port TELNET interface on M-series and SIS nodes is controlled by utility passwords generated using a deterministic, insecure algorithm. This algorithm uses a single seed value with less than 16 bits of entropy, making it easy for an attacker to reconstruct the passwords and gain access to privileged maintenance operations. The vulnerability is related to the use of defective cryptographic algorithms, which can allow a remote attacker to access the system's interface.

Recommendations For Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29, consider disabling the TELNET interface on the maintenance port as a temporary workaround to minimize the risk of exploitation. Restrict access to the maintenance port to prevent unauthorized access until a secure password generation algorithm is implemented.