CVE-2022-29519 – This vulnerability allows adjacent attackers to... (How to Fix)

Q: What is the severity of CVE-2022-29519?

CVE-2022-29519 has a CVSS score of 7.5 (HIGH). This vulnerability allows adjacent attackers to intercept cleartext credentials and configuration data transmitted by STARDOM FCN and FCJ industrial controllers. Attackers can use this information to log into devices and modify configurations or firmware. Organizations using affected Yokogawa controllers in versions R1.01 through R4.31 are at risk.

📋 TL;DR

This vulnerability allows adjacent attackers to intercept cleartext credentials and configuration data transmitted by STARDOM FCN and FCJ industrial controllers. Attackers can use this information to log into devices and modify configurations or firmware. Organizations using affected Yokogawa controllers in versions R1.01 through R4.31 are at risk.

💻 Affected Systems

Products:

STARDOM FCN Controller
STARDOM FCJ Controller

Versions: R1.01 to R4.31

Operating Systems: Controller firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations using affected firmware versions transmit sensitive data in cleartext.

📦 What is this software?

Stardom Fcj Firmware by Yokogawa

View all CVEs affecting Stardom Fcj Firmware →

Stardom Fcn Firmware by Yokogawa

View all CVEs affecting Stardom Fcn Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to industrial controllers, modify safety-critical configurations, upload malicious firmware, and potentially cause physical damage or process disruption.

🟠

Likely Case

Attackers intercept credentials, gain unauthorized access to controllers, and modify operational parameters causing process anomalies or downtime.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to isolated network segments with detection of unauthorized access attempts.

🌐 Internet-Facing: LOW - These are industrial controllers typically deployed in isolated networks, not directly internet-facing.

🏢 Internal Only: HIGH - Attackers on the same network segment can intercept traffic and compromise controllers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires network access but uses standard network sniffing techniques. No authentication bypass needed once credentials are intercepted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: R4.32 and later

Vendor Advisory: https://web-material3.yokogawa.com/1/32885/files/YSAR-22-0007-E.pdf

Restart Required: Yes

Instructions:

1. Download firmware R4.32 or later from Yokogawa support portal. 2. Backup current configuration. 3. Apply firmware update following vendor documentation. 4. Restart controller. 5. Verify encryption is enabled for all communications.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate controllers on dedicated VLANs with strict access controls to limit adjacent attack surface.

Encryption Tunnel

all

Deploy VPN or encrypted tunnel solutions between engineering workstations and controllers.

🧯 If You Can't Patch

Implement strict network segmentation with firewall rules blocking all unnecessary traffic to controller network segments.
Deploy network monitoring and intrusion detection specifically for cleartext credential transmission on controller networks.

🔍 How to Verify

Check if Vulnerable:

Check controller firmware version via web interface or engineering software. If version is between R1.01 and R4.31 inclusive, device is vulnerable.

Check Version:

Use Yokogawa engineering software or web interface to display firmware version.

Verify Fix Applied:

After patching, verify firmware version is R4.32 or later and perform network capture to confirm no cleartext sensitive data transmission.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts from new IP addresses
Configuration changes from unexpected sources
Firmware update logs from unauthorized users

Network Indicators:

Cleartext transmission of credentials on controller network segments
Unexpected network traffic patterns to/from controllers
ARP spoofing or other MITM indicators

SIEM Query:

source_ip IN (controller_ips) AND (protocol="telnet" OR protocol="http" AND contains(password))

📊 Metadata

CVE ID: CVE-2022-29519

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-319

Published: June 28, 2022

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/vu/JVNVU95452299/index.html Mitigation,Third Party Advisory,VDB Entry
https://web-material3.yokogawa.com/1/32885/files/YSAR-22-0007-E.pdf Mitigation,Vendor Advisory
https://web-material3.yokogawa.com/19/32885/files/YSAR-22-0007-J.pdf Mitigation,Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-01 Mitigation,Third Party Advisory,US Government Resource
https://jvn.jp/vu/JVNVU95452299/index.html Mitigation,Third Party Advisory,VDB Entry
https://web-material3.yokogawa.com/1/32885/files/YSAR-22-0007-E.pdf Mitigation,Vendor Advisory
https://web-material3.yokogawa.com/19/32885/files/YSAR-22-0007-J.pdf Mitigation,Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-01 Mitigation,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29519, you might also want to check these: