CVE-2022-2485

Summary

Any attempt (good or bad) to log into AutomationDirect Stride Field I/O with a web browser may result in the device responding with its password in the communication packets.

Affected Software

VendorProductVersion RangeStatus
AutomationDirectSIO-MB04RTDSunspecified < 8.3.4.0affected
AutomationDirectSIO- MB04ADSunspecified < 8.4.3.0affected
AutomationDirectSIO-MB04THMSunspecified < 8.5.4.0affected
AutomationDirectSIO-MB08ADS-1unspecified < 8.6.3.0affected
AutomationDirectSIO-MB08ADS-2unspecified < 8.7.3.0affected
AutomationDirectSIO-MB08THMSunspecified < 8.8.4.0affected
AutomationDirectSIO-MB04DASunspecified < 8.11.3.0affected
AutomationDirectSIO-MB12CDRunspecified < 8.0.4.0affected
AutomationDirectSIO-MB16CDD2unspecified < 8.1.4.0affected
AutomationDirectSIO-MB16ND3unspecified < 8.2.4.00affected
AutomationDirectSIO-MB12CDRbatch number (B/N) 5714442222affected
AutomationDirectSIO-MB04ADSB/N 5714442222affected
AutomationDirectSIO-MB04THMSB/N 57141862221affected
AutomationDirectSIO-MB04DASB/N 4714432222affected

Weaknesses

  • CWE-319: CWE-319: Cleartext Transmission of Sensitive Information

Workarounds

AutomationDirect has identified the specific mitigation actions listed below:

Secure physical access. Isolate and air gap networks when possible. Follow the security considerations in the Automation Direct Security Considerations document. https://support.automationdirect.com/docs/securityconsiderations.pdf

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References