CVE-2022-30315
published 2022-07-28CVE-2022-30315: Honeywell Experion PKS Safety Manager (SM and FSC) through 2022-05-06 has Insufficient Verification of Data Authenticity. According to FSCT-2022-0053, there is…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.73%
49.6th percentile
Honeywell Experion PKS Safety Manager (SM and FSC) through 2022-05-06 has Insufficient Verification of Data Authenticity. According to FSCT-2022-0053, there is a Honeywell Experion PKS Safety Manager insufficient logic security controls issue. The affected components are characterized as: Honeywell FSC runtime (FSC-CPU, QPP), Honeywell Safety Builder. The potential impact is: Remote Code Execution, Denial of Service. The Honeywell Experion PKS Safety Manager family of safety controllers utilize the unauthenticated Safety Builder protocol (FSCT-2022-0051) for engineering purposes, including downloading projects and control logic to the controller. Control logic is downloaded to the controller on a block-by-block basis. The logic that is downloaded consists of FLD code compiled to native machine code for the CPU module (which applies to both the Safety Manager and FSC families). Since this logic does not seem to be cryptographically authenticated, it allows an attacker capable of triggering a logic download to execute arbitrary machine code on the controller's CPU module in the context of the runtime. While the researchers could not verify this in detail, the researchers believe that the microprocessor underpinning the FSC and Safety Manager CPU modules is incapable of offering memory protection or privilege separation capabilities which would give an attacker full control of the CPU module. There is no authentication on control logic downloaded to the controller. Memory protection and privilege separation capabilities for the runtime are possibly lacking. The researchers confirmed the issues in question on Safety Manager R145.1 and R152.2 but suspect the issue affects all FSC and SM controllers and associated Safety Builder versions regardless of software or firmware revision. An attacker who can communicate with a Safety Manager controller via the Safety Builder protocol can execute arbitrary code without restrictions on the CPU module, allowing for covert manipulat
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated Safety Builder protocol traffic communicating with Safety Manager controllers — no authentication is present on control logic downloads, making any such traffic from unexpected sources suspicious. ↗
- →Treat any Safety Builder protocol activity as high-risk if originating from outside the designated engineering network segment; network controls should limit nodes permitted to communicate the builder protocol to the safety manager. ↗
- →Alert on Safety Manager key switch position changes — exploitation of CVE-2022-30315 and related CVEs may require or be preceded by key switch manipulation; monitor physical and logical indicators of key switch state. ↗
- →Correlate Safety Builder protocol abuse with TTPs associated with TRITON/TRISIS malware (MITRE ATT&CK S1009), as successful exploitation enables implanting capabilities similar to that malware. ↗
- ·Vulnerability confirmed on Safety Manager R145.1 and R152.2 but believed to affect ALL FSC and SM controllers and Safety Builder versions regardless of software or firmware revision. ↗
- ·CVE-2022-30315 and CVE-2022-30313 affect ALL versions of Safety Manager; CVE-2022-30314 only affects versions prior to R160.1. ↗
- ·The CPU module underpinning FSC and Safety Manager is believed to lack memory protection and privilege separation, meaning arbitrary code execution via this vulnerability is fully unrestricted. ↗
- ·No known public exploits specifically target this vulnerability at time of advisory publication. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Honeywell Safety Manager
cisa_ics·2022-07-26·CVSS 7.5
[HIGH] Honeywell Safety Manager
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Honeywell Safety Manager
Last RevisedJuly 26, 2022
Alert CodeICSA-22-207-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Honeywell
- Equipment: Safety Manager
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow for configuration and firmware manipulation or remote code execution.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Safety Manager, a safety solution of the Experion Process Knowledge System, are affected:
- Safety Manager: (CVE-2022-30315, CVE-2
GHSA
GHSA-rqm7-h39v-q6cr: Honeywell Experion PKS Safety Manager (SM and FSC) through 2022-05-06 has Insufficient Verification of Data Authenticity
ghsa_unreviewed·2022-07-29
CVE-2022-30315 [CRITICAL] CWE-494 GHSA-rqm7-h39v-q6cr: Honeywell Experion PKS Safety Manager (SM and FSC) through 2022-05-06 has Insufficient Verification of Data Authenticity
Honeywell Experion PKS Safety Manager (SM and FSC) through 2022-05-06 has Insufficient Verification of Data Authenticity. According to FSCT-2022-0053, there is a Honeywell Experion PKS Safety Manager insufficient logic security controls issue. The affected components are characterized as: Honeywell FSC runtime (FSC-CPU, QPP), Honeywell Safety Builder. The potential impact is: Remote Code Execution, Denial of Service. The Honeywell Experion PKS Safety Manager family of safety controllers utilize the unauthenticated Safety Builder protocol (FSCT-2022-0051) for engineering purposes, including downloading projects and control logic to the controller. Control logic is downloaded to the controller on a block-by-block basis. The logic that is downloaded consists of FLD code compiled to native mac
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-07-28
Published