CVE-2022-29951

Q: What is the severity of CVE-2022-29951?

CVE-2022-29951 has a CVSS score of 9.1 (CRITICAL). CVE-2022-29951 is an authentication bypass vulnerability in JTEKT TOYOPUC PLCs that allows attackers to execute engineering functions without credentials. This affects all JTEKT TOYOPUC PLCs using the CMPLink/TCP protocol through April 29, 2022. Industrial organizations using these PLCs for automation and control systems are at risk.

9.1 CRITICAL

Authentication Bypass

📋 TL;DR

CVE-2022-29951 is an authentication bypass vulnerability in JTEKT TOYOPUC PLCs that allows attackers to execute engineering functions without credentials. This affects all JTEKT TOYOPUC PLCs using the CMPLink/TCP protocol through April 29, 2022. Industrial organizations using these PLCs for automation and control systems are at risk.

💻 Affected Systems

Products:

JTEKT TOYOPUC PLCs

Versions: All versions through 2022-04-29

Operating Systems: PLC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using CMPLink/TCP protocol on configurable ports 1024-65534 over TCP or UDP. The vulnerability exists in the protocol design itself.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial processes allowing attackers to stop production, modify control logic, upload malicious projects, or cause physical damage to equipment.

🟠

Likely Case

Unauthorized access to PLC functions allowing attackers to disrupt operations, steal intellectual property (project files), or modify configurations.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized access to PLC communication ports.

🌐 Internet-Facing: HIGH - Any internet-exposed PLC with CMPLink/TCP enabled can be directly attacked without authentication.

🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this vulnerability to gain full control of PLCs.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and the protocol is documented, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-22-172-02

Restart Required: No

Instructions:

No official patch available. Follow vendor guidance and implement compensating controls as described in workarounds.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate PLCs in dedicated network segments with strict firewall rules limiting access to CMPLink/TCP ports.

Disable CMPLink/TCP

all

Disable the CMPLink/TCP protocol if not required for operations.

Access Control Lists

all

Implement network ACLs to restrict access to PLC ports only from authorized engineering stations.

🧯 If You Can't Patch

Implement strict network segmentation to isolate PLCs from untrusted networks
Deploy intrusion detection systems to monitor for unauthorized access attempts to PLC ports

🔍 How to Verify

Check if Vulnerable:

Check if JTEKT TOYOPUC PLCs are accessible on ports 1024-65534 via TCP or UDP and if CMPLink/TCP protocol is enabled.

Check Version:

Check PLC firmware version through engineering software or physical interface. All versions through April 29, 2022 are affected.

Verify Fix Applied:

Verify that network controls prevent unauthorized access to PLC ports and that only authorized systems can communicate with PLCs.

📡 Detection & Monitoring

Log Indicators:

Unauthorized connection attempts to PLC ports
Unexpected engineering function calls
Configuration changes from unauthorized sources

Network Indicators:

Traffic to PLC ports from unauthorized IP addresses
CMPLink/TCP protocol traffic from unexpected sources

SIEM Query:

source_ip NOT IN (authorized_ips) AND destination_port BETWEEN 1024 AND 65534 AND (protocol=tcp OR protocol=udp)

📊 Metadata

CVE ID: CVE-2022-29951

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-306

Published: July 26, 2022

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-172-02 Mitigation,Third Party Advisory,US Government Resource
https://www.forescout.com/blog/ Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-172-02 Mitigation,Third Party Advisory,US Government Resource
https://www.forescout.com/blog/ Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Nano 10gx Tuc 1157 Firmware by Jtekt

Nano Cpu Tuc 6941 Firmware by Jtekt

Pc10b P Tcc 6373 Firmware by Jtekt

Pc10b Tcc 1021 Firmware by Jtekt

Pc10e Tcc 4737 Firmware by Jtekt

Pc10el Tcc 4747 Firmware by Jtekt

Pc10g Cpu Tcc 6353 Firmware by Jtekt

Pc10ge Tcc 6464 Firmware by Jtekt

Pc10p Dp Io Tcc 6752 Firmware by Jtekt

Pc10p Dp Tcc 6726 Firmware by Jtekt

Pc10p Tcc 6372 Firmware by Jtekt

Pc10pe 1616p Tcc 1102 Firmware by Jtekt

Pc10pe Tcc 1101 Firmware by Jtekt

Pc3jx D Tcc 6902 Firmware by Jtekt

Pc3jx Tcc 6901 Firmware by Jtekt

Pcdl Tkc 6688 Firmware by Jtekt

Plus Cpu Tcc 6740 Firmware by Jtekt