20 May 2020

KLCERT-20-012: Missing Authentication in Emerson OpenEnterprise SCADA before 3.3.4

Vendor

Emerson

Timeline

Timeline

  • Kaspersky ICS CERT advisory published

    20 May 2020

  • Vendor releases patch

    May 2020

  • Vulnerabilities reported

    December 2019

Description

Missing Authentication in Emerson OpenEnterprise SCADA versions before 3.3.4 might lead to arbitrary code execution. The affected components may allow an attacker to run an arbitrary commands with system privileges or perform remote code execution via a specific communication service.

Exploitability

Remotely

Attack complexity

Low

User interaction

None

Impact

The affected components may allow an attacker to run an arbitrary command with system privileges or perform remote code execution via a specific communication service.

Existence of exploit

PoC

Affected products

Emerson OpenEnterprise SCADA versions before 3.3.4.

Mitigation

Vendor mitigation

Emerson recommends all users upgrade your OpenEnterprise system to OpenEnterprise 3.3.5 (OpenEnterprise 3.3 Service Pack 5). All computers with OpenEnterprise installations must be upgraded.

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory published

    20 May 2020

  • Vendor releases patch

    May 2020

  • Vulnerabilities reported

    December 2019