PatchSiren

PatchSiren cyber security CVE debrief

CVE-2022-30268 Emerson CVE debrief

CVE-2022-30268 is a medium-severity vulnerability affecting Emerson PACSystem industrial controllers and Fanuc VersaMax devices. The Winloader utility, used for firmware updates via serial port or serial-over-Ethernet connections, lacks authentication mechanisms. This allows an attacker with physical or network proximity to push malicious firmware images, potentially causing denial-of-service or enabling remote code execution. The vulnerability specifically impacts CPE302, CPE205, and CPE310 models manufactured before the '-Bxxx' hardware revisions. Published June 6, 2024, this CVE addresses a long-standing authentication gap in legacy industrial control systems where firmware update channels were designed without security controls. The CVSS 3.1 score of 4.9 reflects the physical access requirement (AV:P) and low attack complexity, though the integrity impact is rated high (I:H) given the potential for complete system compromise through malicious firmware.

Vendor
Emerson
Product
PACSystem
CVSS
MEDIUM 4.9
CISA KEV
Not listed in stored evidence
Original CVE published
2024-06-06
Original CVE updated
2024-06-06
Advisory published
2024-06-06
Advisory updated
2024-06-06

Who should care

Industrial control system operators, OT security teams, and manufacturing engineers using Emerson PACSystem or Fanuc VersaMax controllers should prioritize this vulnerability. Organizations in critical infrastructure sectors—energy, water, manufacturing, and chemical processing—relying on these legacy controllers for process control face operational technology risk. Asset owners with pre-'-Bxxx' hardware revisions require immediate inventory validation and network segmentation. System integrators and maintenance providers should update procedures to enforce authentication for all firmware update activities.

Technical summary

The Winloader utility in affected Emerson PACSystem controllers (RXi, RX3i, RSTi-EP) and Fanuc VersaMax devices performs firmware updates without authentication over serial or serial-over-Ethernet connections. An attacker with physical serial access or adjacent network access can inject malicious firmware, achieving denial-of-service or remote code execution. The vulnerability is constrained to CPE302, CPE205, and CPE310 hardware produced before the '-Bxxx' revision cutoff. Post-'-Bxxx' hardware revisions are not affected. The CVSS 3.1 vector AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L yields a base score of 4.9, with high integrity impact reflecting firmware compromise potential.

Defensive priority

medium

Recommended defensive actions

  • Identify all Emerson PACSystem RXi, RX3i, RSTi-EP, and Fanuc VersaMax controllers in your environment and verify hardware revision status. Devices with '-Bxxx' or later hardware revisions are not affected.
  • For affected pre-'-Bxxx' hardware, prioritize network segmentation to restrict serial-over-Ethernet access to authorized maintenance stations only.
  • Implement physical security controls to prevent unauthorized serial port access to controllers, as the vulnerability requires physical or adjacent network access.
  • Consult the PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y) for authentication hardening recommendations, including Section 4.3 on authentication controls and Section 4.3.4 on personnel and physical
  • Disable unnecessary Ethernet services per Section 5.2.1.1 of the secure deployment guide to reduce attack surface for serial-over-Ethernet exploitation.
  • If SRP6-a authentication is not deployed, follow Section 2.4 General Recommendations and Section 6.1 Reference Architecture for compensating controls.
  • Establish firmware integrity verification procedures for all controller updates, including cryptographic validation of firmware images before deployment.
  • Monitor for anomalous firmware update activities and unauthorized Winloader utility usage across the industrial control network.

Evidence notes

Vulnerability details sourced from CISA ICS Advisory ICSA-24-158-01. Affected products confirmed through CSAF product tree: Emerson PACSystem RXi, RX3i, RSTi-EP, and Fanuc VersaMax. Hardware revision boundary ('-Bxxx') identified as remediation cutoff. CVSS vector AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L from source.

Official resources

2024-06-06