CVE-2022-29952

Vulnerability

Bently Nevada 3701/40, 3701/44, 3701/46, and 60M100 (3701/60) condition monitoring systems, as used for machinery monitoring, mishandle authentication for the TDI command and data protocols (ports 60005/TCP, 60007/TCP) [1]. These protocols provide configuration management and historical data functionality without any authentication features [1]. The vulnerability affects all versions of 3701/40, 3701/44, and 3701/46 prior to 4.1, and all versions of 60M100 (3701/60) [1]. CVE-2022-29952 is assigned and has a CVSS v3 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H) [1].

Exploitation

An attacker must be capable of communicating with ports 60005/TCP or 60007/TCP on the affected controllers [1]. No authentication is required to invoke a subset of desired functionality [1]. The attack complexity is considered high (as per CVSS vector), but no user interaction or privileges are needed [1]. An attacker can send crafted packets to these ports to trigger read or write operations on the controller's filesystem or cause a denial-of-service condition [1].

Impact

Successful exploitation allows an attacker to read or write files on the monitoring controllers, or cause a denial-of-service condition [1]. The impact is limited to integrity and availability; confidentiality is not directly affected [1]. This could disrupt machinery monitoring operations and potentially lead to unsafe conditions in industrial environments.

Mitigation

Bently Nevada has released firmware version 4.1 for the 3701/40, 3701/44, and 3701/46 series to address this vulnerability [1]. The 60M100 (3701/60) is listed as affected with no fixed version mentioned in the reference [1]. Users should update to version 4.1 or later for the fixed products. Additional mitigations include restricting network access to the affected ports, using firewalls or VPNs, and monitoring for unauthorized traffic on ports 60005/TCP and 60007/TCP [1]. Refer to CISA advisory ICSA-22-188-02 for further details [1].