22 August 2018

Multiple vulnerabilities in Emerson DeltaV DCS industrial workstations

Critical vulnerabilities have been identified in industrial workstations of Emerson’s DeltaV distributed control system (DCS). Successful exploitation of these vulnerabilities could allow arbitrary code execution, malware injection or malware propagation to other workstations.

The vulnerabilities affect the following versions of DeltaV: 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5.

The most severe of the vulnerabilities, buffer overflow (CVE-2018-14793), could be exploited through an open communication port to execute arbitrary code. A CVSS v.3 base score of 9.6 has been calculated for this vulnerability.

Another flaw, CVE-2018-14797, could also be exploited to execute arbitrary code using a specially crafted DLL file. Still another critical vulnerability (CVE-2018-14791) is due to improper privilege management. If successfully exploited, it could allow non-administrative users to change executable and library files on the affected products. Both of these vulnerabilities have been assigned a CVSS v.3 base score of 8.2.

Finally, CVE-2018-14795 is an improper path validation vulnerability, which could allow attackers to replace executable files on the affected products. This issue has the severity score of 8.8.

Emerson has released patches that fix the above vulnerabilities. In addition, vulnerabilities CVE-2018-14797, CVE-2018-14795 and CVE-2018-14791 cannot be exploited if application whitelisting is implemented, since it would prevent files from being overwritten.

Source : ICS-CERT