Risk Summary
Successful exploitation of these vulnerabilities could cause remote code execution, change controller configuration, or cause a denial-of-service condition.
CVEs (2)
Remediations
- For CVE-2022-29959, Emerson recommends not using the OpenBSI "User Management Tool" to manage RTU credentials; this utility is no longer supported and will be removed from future versions. :
- Take backups of the information from the SecUsers.ini file securely if the tool has already been used.
- Delete the SecUser.ini file.
- Delete the UserMngtTool.exe executable from the OpenBSI folder.
- Devices running OpenBSI and RTUs should never be exposed to the internet. Users should also ensure network security. See OpenBSI Utilities Manual D301414x012 Section 6.1 Configuring OpenBSI Security.
- CVE-2022-29960—DES (Data Encryption Standard) with hardcoded cryptographic keys is used to protect system credentials, engineering files, and sensitive utilities.
Affected Vendors
Emerson
Affected Products (1)
Emerson
·
OpenBSI
<= 5.9 SP3
Affected Sectors
Oil & Gas, Petrochemical, Chemical, Life Sciences, Water and Wastewater
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more