![]() ![]() Two of the CVEs that were disclosed, CVE-2022-30242 (cvss 3.x score of 6.8) and CVE-2022-30245 (cvss 3.x score of 6.5), are vulnerabilities discovered which allow for configuration changes to be made outside of the Compass Software without any authorization or authentication. In general, the configuration is set when the system is installed and is rarely changed thereafter. This configuration includes setting IP values, enabling or disabling specific ports, defining which networking protocols are active and more. The Compass software provides the ability to configure the ACM. The resulting effect of a malicious user gaining access to the Ascent Suite can result in a degradation of credibility, integrity, and availability of the BMS as a whole. The Compass software and Visual Logic software have access to the ACM over ethernet via a network switch.Īny user, innocent or malicious, can access the various Alerton devices and software either locally or remotely via the network switch, assuming that there are no extra security tools providing network protection (such as an FW or switch port security). Alerton Compass – Management and Control ToolĪs seen in the topology map, an ACM is connected to a VLC-853 device over a serial port.Alerton Ascent Control Module (ACM) – Main controller.For example, in the research we conducted the Alerton Ascent network comprised: The Alerton Suite is made up of many different components. The Ascent product suite is deployed in buildings, server rooms, chemical labs, hospitals and more, with the purpose of maintaining the appropriate air flow and safe temperature required for a room’s or space’s specific need. Alerton Ascent SuiteĪlerton Ascent is a suite of controllers, devices, and software used for building management specifically in regard to HVAC. This is a technical report on how our research team discovered these vulnerabilities. Left without proper security measures, these vulnerabilities could lead to major disruptions in any facility where they are deployed. SCADAfence’s research team discovered vulnerabilities that lead to NIST issuing the first CVEs ever assigned to Alerton products. ![]() Alerton, a subsidiary of Honeywell, is a major manufacturer of building management systems for heating, ventilation, and air conditioning (HVAC). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2023
Categories |