TID-315: Password Retrieval Mechanism Abused

Threat Description

If the device includes a password retrieval mechanism, a threat actor could use that mechanism to retrieve a valid credential and then access the device. Password retrieval functions are typically intended to be used to support access from dedicated device management tools, but these functions may be reverse engineered and then initiated by the threat actor to gain valid credentials on a device.

Threat Maturity and Evidence

Proof of Concept
AutomationDirect DirectLOGIC with Serial Communication - CVE-2022-2003, Research By Sam Hanson of Dragos
“The product is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes.”

CWE

CWE-319: Cleartext Transmission of Sensitive Information
“The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.”

CVE

CVE-2022-2003
“The product is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes.”

CVE-2022-31205
“The password to access the Web UI can be read from memory using the Omron FINS protocol without any further authentication.”