The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. Access to privileged operations on the maintenance port TELNET interface (23/TCP) on M-series and SIS (CSLS/LSNB/LSNG) nodes is controlled by means of utility passwords. These passwords are generated using a deterministic, insecure algorithm using a single seed value composed of a day/hour/minute timestamp with less than 16 bits of entropy. The seed value is fed through a lookup table and a series of permutation operations resulting in three different four-character passwords corresponding to different privilege levels. An attacker can easily reconstruct these passwords and thus gain access to privileged maintenance operations. NOTE: this is different from CVE-2014-2350.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-07-26T21:14:24

Updated: 2024-08-03T06:33:43.166Z

Reserved: 2022-04-29T00:00:00

Link: CVE-2022-29965

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-07-26T22:15:11.183

Modified: 2024-11-21T07:00:04.757

Link: CVE-2022-29965

cve-icon Redhat

No data.