CVE-2022-29958

Q: What is the severity of CVE-2022-29958?

CVE-2022-29958 has a CVSS score of 9.8 (CRITICAL). CVE-2022-29958 allows unauthenticated attackers to execute arbitrary machine code on JTEKT TOYOPUC PLCs by exploiting the unauthenticated CMPLink/TCP protocol used for engineering functions. This gives attackers full control over the PLC's CPU module since these devices lack memory protection mechanisms. Organizations using TOYOPUC PLCs in industrial control systems are affected.

9.8 CRITICAL

Remote Code Execution Authentication Bypass

📋 TL;DR

CVE-2022-29958 allows unauthenticated attackers to execute arbitrary machine code on JTEKT TOYOPUC PLCs by exploiting the unauthenticated CMPLink/TCP protocol used for engineering functions. This gives attackers full control over the PLC's CPU module since these devices lack memory protection mechanisms. Organizations using TOYOPUC PLCs in industrial control systems are affected.

💻 Affected Systems

Products:

JTEKT TOYOPUC PLCs

Versions: All versions through 2022-04-29

Operating Systems: PLC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: PC10G-CPU and likely other TOYOPUC CPU modules are affected. These use processors without MPU/MMU, providing no memory protection.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial processes, allowing attackers to manipulate physical equipment, cause equipment damage, disrupt operations, or create safety hazards.

🟠

Likely Case

Unauthorized modification of control logic leading to process disruption, data manipulation, or industrial espionage.

🟢

If Mitigated

Limited impact if network segmentation and access controls prevent attackers from reaching PLCs.

🌐 Internet-Facing: HIGH - Direct internet exposure would allow remote attackers to fully compromise PLCs.

🏢 Internal Only: HIGH - Even internally, any network access to PLCs allows full compromise due to unauthenticated protocol.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to PLC but no authentication. The protocol is documented for engineering use.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-22-172-02

Restart Required: No

Instructions:

No official patch available. Follow CISA ICS advisory recommendations for mitigation.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate TOYOPUC PLCs in dedicated network segments with strict access controls.

Firewall Rules

all

Block CMPLink/TCP protocol (default port 102) from all unauthorized networks and hosts.

🧯 If You Can't Patch

Implement strict network segmentation with industrial DMZs
Deploy intrusion detection systems monitoring for CMPLink/TCP traffic anomalies

🔍 How to Verify

Check if Vulnerable:

Check if TOYOPUC PLCs are accessible on network and if CMPLink/TCP port 102 is open and accessible.

Check Version:

Consult PLC configuration or vendor documentation for firmware version.

Verify Fix Applied:

Verify network segmentation prevents unauthorized access to PLCs and CMPLink/TCP traffic is blocked.

📡 Detection & Monitoring

Log Indicators:

Unauthorized CMPLink/TCP connection attempts
Unexpected engineering workstation connections

Network Indicators:

CMPLink/TCP traffic from unauthorized IPs
Port 102 scans or connections

SIEM Query:

source_port:102 OR dest_port:102 AND (NOT authorized_source_ip)

📊 Metadata

CVE ID: CVE-2022-29958

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-345

Published: July 26, 2022

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-172-02 Third Party Advisory,US Government Resource
https://www.forescout.com/blog/ Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-172-02 Third Party Advisory,US Government Resource
https://www.forescout.com/blog/ Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Nano 10gx Tuc 1157 Firmware by Jtekt

Nano Cpu Tuc 6941 Firmware by Jtekt

Pc10b P Tcc 6373 Firmware by Jtekt

Pc10b Tcc 1021 Firmware by Jtekt

Pc10e Tcc 4737 Firmware by Jtekt

Pc10el Tcc 4747 Firmware by Jtekt

Pc10g Cpu Tcc 6353 Firmware by Jtekt

Pc10ge Tcc 6464 Firmware by Jtekt

Pc10p Dp Io Tcc 6752 Firmware by Jtekt

Pc10p Dp Tcc 6726 Firmware by Jtekt

Pc10p Tcc 6372 Firmware by Jtekt

Pc10pe 1616p Tcc 1102 Firmware by Jtekt

Pc10pe Tcc 1101 Firmware by Jtekt

Pc3jx D Tcc 6902 Firmware by Jtekt

Pc3jx Tcc 6901 Firmware by Jtekt

Pcdl Tkc 6688 Firmware by Jtekt

Plus Cpu Tcc 6740 Firmware by Jtekt