CVE-2022-1668 – CVE-2022-1668 is a critical authentication vuln... (How to Fix)

Q: What is the severity of CVE-2022-1668?

CVE-2022-1668 has a CVSS score of 9.8 (CRITICAL). CVE-2022-1668 is a critical authentication vulnerability where weak default root credentials allow remote attackers to gain superuser privileges via SSH. This affects industrial control systems and other devices with exposed SSH ports using default credentials. Organizations using affected products with default configurations are at immediate risk.

📋 TL;DR

CVE-2022-1668 is a critical authentication vulnerability where weak default root credentials allow remote attackers to gain superuser privileges via SSH. This affects industrial control systems and other devices with exposed SSH ports using default credentials. Organizations using affected products with default configurations are at immediate risk.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk AssetCentre

Versions: Versions prior to 10.00.00.09

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects FactoryTalk AssetCentre servers with SSH enabled and using default root credentials.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, exfiltrate sensitive data, disrupt operations, or pivot to other network systems.

🟠

Likely Case

Unauthorized root access leading to data theft, system manipulation, or ransomware deployment on vulnerable devices.

🟢

If Mitigated

No impact if strong credentials are enforced and SSH access is properly restricted.

🌐 Internet-Facing: HIGH - SSH ports exposed to the internet with weak credentials are trivial to exploit.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit this if default credentials remain unchanged.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attackers can use standard SSH clients with default credentials; no special tools required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk AssetCentre version 10.00.00.09

Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1668.html

Restart Required: Yes

Instructions:

1. Download FactoryTalk AssetCentre version 10.00.00.09 from Rockwell Automation. 2. Apply the update following vendor documentation. 3. Restart the system as required.

🔧 Temporary Workarounds

Change Default Root Password

linux

Immediately change the default root password to a strong, unique password.

passwd root

Restrict SSH Access

linux

Limit SSH access to specific IP addresses using firewall rules.

iptables -A INPUT -p tcp --dport 22 -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

🧯 If You Can't Patch

Change all default credentials immediately and enforce strong password policies.
Disable SSH service if not required, or restrict access to trusted networks only.

🔍 How to Verify

Check if Vulnerable:

Check if FactoryTalk AssetCentre version is below 10.00.00.09 and if SSH is enabled with default credentials.

Check Version:

Check FactoryTalk AssetCentre version in application interface or installation directory.

Verify Fix Applied:

Verify installation of version 10.00.00.09 and confirm default credentials are changed.

📡 Detection & Monitoring

Log Indicators:

Failed SSH login attempts followed by successful root login
SSH connections from unexpected IP addresses

Network Indicators:

SSH traffic to port 22 from external sources
Unusual SSH session patterns

SIEM Query:

source="ssh_logs" (event="Accepted password" AND user="root") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2022-1668

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-521

Published: June 24, 2022

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03 Mitigation,Third Party Advisory,US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03 Mitigation,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1668, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Sepcos Control And Protection Relay Firmware by Secheron

Sepcos Control And Protection Relay Firmware by Secheron

Sepcos Control And Protection Relay Firmware by Secheron

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Change Default Root Password

Restrict SSH Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities