CVE: CVE-2022-29959

Export to Word

Emerson OpenBSI through 2022-04-29 mishandles credential storage. It is an engineering environment for the ControlWave and Bristol Babcock line of RTUs. This environment provides access control functionality through user authentication and privilege management. The credentials for various users are stored insecurely in the SecUsers.ini file by using a simple string transformation rather than a cryptographic mechanism.

Threat-Mapped Scoring

Score: 0.0

Priority: Unclassified

EPSS

Score: 0.0005
Percentile: 0.15518

CVSS Scoring

CVSS v3.1 Score: 5.5

Severity: MEDIUM

Mapped CWE(s)

CWE-522 : Insufficiently Protected Credentials

All CAPEC(s)

CAPEC-102: Session Sidejacking
CAPEC-474: Signature Spoofing by Key Theft
CAPEC-50: Password Recovery Exploitation
CAPEC-509: Kerberoasting
CAPEC-551: Modify Existing Service
CAPEC-555: Remote Services with Stolen Credentials
CAPEC-560: Use of Known Domain Credentials
CAPEC-561: Windows Admin Shares with Stolen Credentials
CAPEC-600: Credential Stuffing
CAPEC-644: Use of Captured Hashes (Pass The Hash)
CAPEC-645: Use of Captured Tickets (Pass The Ticket)
CAPEC-652: Use of Known Kerberos Credentials
CAPEC-653: Use of Known Operating System Credentials

CAPEC(s) with Mapped TTPs

CAPEC-474: Signature Spoofing by Key Theft
Mapped TTPs:
- T1552.004 : Private Keys
CAPEC-509: Kerberoasting
Mapped TTPs:
- T1558.003 : Kerberoasting
CAPEC-551: Modify Existing Service
Mapped TTPs:
- T1543 : Create or Modify System Process
CAPEC-555: Remote Services with Stolen Credentials
Mapped TTPs:
- T1021 : Remote Services
- T1114.002 : Remote Email Collection
- T1133 : External Remote Services
CAPEC-560: Use of Known Domain Credentials
Mapped TTPs:
- T1078 : Valid Accounts
CAPEC-561: Windows Admin Shares with Stolen Credentials
Mapped TTPs:
- T1021.002 : SMB/Windows Admin Shares
CAPEC-600: Credential Stuffing
Mapped TTPs:
- T1110.004 : Credential Stuffing
CAPEC-644: Use of Captured Hashes (Pass The Hash)
Mapped TTPs:
- T1550.002 : Pass the Hash
CAPEC-645: Use of Captured Tickets (Pass The Ticket)
Mapped TTPs:
- T1550.003 : Pass the Ticket
CAPEC-652: Use of Known Kerberos Credentials
Mapped TTPs:
- T1558 : Steal or Forge Kerberos Tickets

Mapped ATT&CK TTPs

T1552.004 : Private Keys
Kill Chain: credential-access
T1558.003 : Kerberoasting
Kill Chain: credential-access
T1543 : Create or Modify System Process
Kill Chain: persistence
T1021 : Remote Services
Kill Chain: lateral-movement
T1114.002 : Remote Email Collection
Kill Chain: collection
T1133 : External Remote Services
Kill Chain: persistence
T1078 : Valid Accounts
Kill Chain: defense-evasion
T1021.002 : SMB/Windows Admin Shares
Kill Chain: lateral-movement
T1110.004 : Credential Stuffing
Kill Chain: credential-access
T1550.002 : Pass the Hash
Kill Chain: defense-evasion
T1550.003 : Pass the Ticket
Kill Chain: defense-evasion
T1558 : Steal or Forge Kerberos Tickets
Kill Chain: credential-access

Malware

APTs Threat Group Associations

Campaigns

C0027
Operation Wocao
ArcaneDoor
SolarWinds Compromise
Operation CuckooBees
CostaRicto
2016 Ukraine Electric Power Attack
2015 Ukraine Electric Power Attack
APT28 Nearest Neighbor Campaign
Night Dragon
Leviathan Australian Intrusions
Operation MidnightEclipse
C0032
HomeLand Justice
Cutting Edge

Affected Products

cpe:2.3:a:emerson:openbsi:*:*:*:*:*:*:*:*
cpe:2.3:a:emerson:openbsi:5.9:-:*:*:*:*:*:*
cpe:2.3:a:emerson:openbsi:5.9:sp1:*:*:*:*:*:*
cpe:2.3:a:emerson:openbsi:5.9:sp2:*:*:*:*:*:*
cpe:2.3:a:emerson:openbsi:5.9:sp3:*:*:*:*:*:*

← Back to Home