CVE-2022-30269

Published: Jul 26, 2022Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Motorola ACE1000 RTUs through 2022-05-02 mishandle application integrity. They allow for custom application installation via either STS software, the C toolkit, or the ACE1000 Easy Configurator. In the case of the Easy Configurator, application images (as PLX/DAT/APP/CRC files) are uploaded via the Web UI. In case of the C toolkit, they are transferred and installed using SFTP/SSH. In each case, application images were found to have no authentication (in the form of firmware signing) and only relied on insecure checksums for regular integrity checks.

Affected (1)

Products: Motorola: Ace1000 Firmware

1 product

Ace1000 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Motorola Ace1000 Firmware	All versions

Running on/with	Platform Versions
Motorola Ace1000	All versions

Related CWEs

Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References (4)

https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-06

Source: cve@mitre.org

MitigationThird Party AdvisoryUS Government Resource

https://www.forescout.com/blog/

Source: cve@mitre.org

Not Applicable

https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-06

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationThird Party AdvisoryUS Government Resource

https://www.forescout.com/blog/

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

Timeline

No history available yet.