02 October 2018
Critical vulnerabilities in Emerson AMS Device Manager
Researchers at Kaspersky Lab ISC CERT have identified critical vulnerabilities in Emerson’s AMS Device Manager, a software suite used by enterprises to monitor the state of their industrial assets. Successful exploitation of these vulnerabilities could allow arbitrary code execution and malware injection. The vulnerabilities affect AMS Device Manager versions 12.0 to 13.5.
The improper access control vulnerability, CVE-2018-14804, has been assigned the highest possible severity score (CVSS v.3 base score of 10.0). This flaw can be used to run a specially crafted script that allows arbitrary remote code execution.
The second vulnerability, CVE-2018-14808, enables non-administrative users to change executable and library files on affected products. A CVSS v.3 base score of 8.2 has been calculated for this vulnerability.
To address these vulnerabilities, the vendor recommends installing the relevant patches. Additionally, according to Emerson, CVE-2018-14808 cannot be exploited if application whitelisting is implemented, since it would prevent files from being overwritten.
Threats to ICS and industrial enterprises in 2022 as they are foreseen from November 2021
23 November 2021
Good old buffer overflow
31 March 2021
Network Asset Traversal or NATural disaster: NAT Slipstreaming 2.0
30 March 2021