CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
51.4%
Successful exploitation of these vulnerabilities could disclose sensitive information, allow privilege escalation, or allow remote code execution.
Honeywell reports these vulnerabilities affect the following versions of OneWireless WDM:
3.2.1COMMAND INJECTION CWE-77****
While a backup is in progress, malicious users could enter a system command along with a backup configuration, which could result in the execution of unwanted commands.
CVE-2022-46361 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.2USE OF INSUFFICIENTLY RANDOM VALUES CWE-330****
This vulnerability exists due to an insufficiently secure random number used for generating keys, which is used for signing tokens.
CVE-2022-43485 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
3.2.3MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306****
An unauthenticated API could allow an attacker to obtain the information about network resources.
CVE-2022-4240 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The UK’s National Cyber Security Centre (NCSC) reported these vulnerabilities to Honeywell.
Honeywell recommends users upgrade OneWireless WDM to release R322.2. Download information includes the following:
Honeywell advises users to ensure OneWireless security best practices are followed on the network to which the OneWireless WDM is attached to ensure access is limited to authorized users only. Users should ensure the backup files are maintained in a network location or physical drive with access limited to authorized users only and should not share them.
The recommended network installation guidelines are available in the Honeywell guide, “Network-Planning-and-Installation-Guide-OWDOC-X253-en-322.” For access, users should visit the Honeywell website and sign in, select “Support” at the top of the web page, then select “Product Documents & Downloads.” In the given search box, search for: “Network-Planning-and-Installation-Guide-OWDOC-X253-en-322” or, after logging in, select the hyperlink: Network-Planning-and-Installation-Guide-OWDOC-X253-en-322.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have a low attack complexity.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4240
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-43485
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46361
cisa.gov/ics
cisa.gov/ics
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-06
cwe.mitre.org/data/definitions/306.html
cwe.mitre.org/data/definitions/330.html
cwe.mitre.org/data/definitions/77.html
process.honeywell.com/
process.honeywell.com/
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Honeywell%20OneWireless%20Wireless%20Device%20Manager+https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-06
us-cert.cisa.gov/ics/Recommended-Practices
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-06&title=Honeywell%20OneWireless%20Wireless%20Device%20Manager
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-06
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Honeywell%20OneWireless%20Wireless%20Device%20Manager&body=www.cisa.gov/news-events/ics-advisories/icsa-23-075-06