Emerson Ovation Missing Authentication for Critical Function (CVE-2022-29966)

critical Tenable OT Security Plugin ID 502373

Synopsis

The remote OT asset is affected by a vulnerability.

Description

The affected product has several protocols that have no authentication, which could allow an attacker to change controller configuration or cause a denial-of-service condition.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

Emerson recommends the following:
- Upgrade to the currently available release of Ovation 3.8.0 Feature Pack 3 for remediation of many of the identified vulnerabilities.
- Users are advised to consider the use of OCR3000 controllers, which offer an extra layer of protection that is not available to older controller models.
- Deploy and configure Ovation systems and related components as described in the Cybersecurity for Ovation Systems manual (OVREF1000).
- Users with questions or concerns regarding the impact of these vulnerabilities on Ovation should contact the Ovation-CERT by email or phone (1-800-445-9723, option 3).

See Also

https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-02

Plugin Details

Severity: Critical

ID: 502373

Version: 1.2

Type: remote

Family: Tenable.ot

Published: 9/2/2024

Updated: 9/3/2024

Supported Sensors: Tenable OT Security

Risk Information

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/h:emerson:ovation_occ100, cpe:/h:emerson:ovation_ocr1100, cpe:/h:emerson:ovation_ocr3000, cpe:/h:emerson:ovation_ocr400

Required KB Items: Tenable.ot/Emerson

Exploit Ease: No known exploits are available

Patch Publication Date: 6/6/2023

Vulnerability Publication Date: 6/6/2023

Reference Information

CVE: CVE-2022-29966

ICSA: 24-158-02