CVE-2022-29735

Vulnerability

Delta Controls enteliTOUCH versions 3.33.4005, 3.40.3706, and 3.40.3935 are vulnerable to an unauthenticated command injection flaw. The vulnerability resides in the web interface exposed by the device and does not require any special configuration or access permissions to reach the affected code path [1].

Exploitation

An attacker can send a specially crafted HTTP request to the target device over the network. No authentication, user interaction, or prior access is required. The injection occurs because the device fails to sanitize user-supplied input within the request, leading to arbitrary command execution on the underlying operating system [1].

Impact

Successful exploitation results in arbitrary command execution with the privileges of the enteliTOUCH web service, which may have a high level of access to the device. This can lead to full compromise of the building management system controller, including data disclosure, configuration modification, and potential pivot attacks within the building automation network [1].

Mitigation

A fixed version has not been announced by the vendor as of the publication date of this CVE. Users should monitor Delta Controls advisories [2] for a patch or firmware update. Until a fix is available, restrict network access to the enteliTOUCH device to trusted hosts and segments, and monitor for suspicious HTTP requests.