PatchSiren cyber security CVE debrief
CVE-2022-29966 Emerson CVE debrief
CVE-2022-29966 is a critical vulnerability in Emerson Ovation industrial control systems, published by CISA on June 6, 2024. The vulnerability stems from multiple protocols lacking authentication mechanisms, enabling unauthenticated remote attackers to modify controller configurations or induce denial-of-service conditions. The affected product is Emerson Ovation versions 3.8.0 Feature Pack 1 and earlier. This vulnerability carries a CVSS 3.1 score of 9.8 (Critical), reflecting network-based attack vector with low complexity, no privileges required, and high impacts across confidentiality, integrity, and availability. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Emerson
- Product
- Ovation
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-06
- Original CVE updated
- 2024-06-06
- Advisory published
- 2024-06-06
- Advisory updated
- 2024-06-06
Who should care
Industrial control system operators in energy, water, and critical infrastructure sectors using Emerson Ovation DCS; OT security teams responsible for power generation and process control environments; asset owners with legacy Ovation deployments prior to Feature Pack 3
Technical summary
The Emerson Ovation distributed control system implements multiple communication protocols without authentication requirements. An unauthenticated attacker with network access to affected Ovation controllers can exploit these protocol weaknesses to modify controller configurations or disrupt operations through denial-of-service attacks. The vulnerability affects Ovation versions 3.8.0 Feature Pack 1 and earlier. Remediation requires upgrading to Feature Pack 3 and implementing defense-in-depth architecture with OCR3000 controllers where feasible.
Defensive priority
critical
Recommended defensive actions
- Upgrade to Ovation 3.8.0 Feature Pack 3 to remediate identified vulnerabilities
- Deploy OCR3000 controllers for enhanced protection unavailable in older controller models
- Configure Ovation systems per Cybersecurity for Ovation Systems manual (OVREF1000)
- Contact Ovation-CERT at [email protected] or 1-800-445-9723 (option 3) for impact assessment
- Implement network segmentation to isolate Ovation control systems from untrusted networks
- Apply defense-in-depth strategies per CISA ICS recommended practices
Evidence notes
Vulnerability description and remediation guidance sourced from CISA CSAF advisory ICSA-24-158-02. Affected product version confirmed as Ovation <=3.8.0_Feature_Pack_1. CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H validated against source.
Official resources
-
CVE-2022-29966 CVE record
CVE.org
-
CVE-2022-29966 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-06