02 October 2018

Critical vulnerabilities in Emerson AMS Device Manager

Researchers at Kaspersky Lab ISC CERT have identified critical vulnerabilities in Emerson’s AMS Device Manager, a software suite used by enterprises to monitor the state of their industrial assets. Successful exploitation of these vulnerabilities could allow arbitrary code execution and malware injection. The vulnerabilities affect AMS Device Manager versions 12.0 to 13.5.

The improper access control vulnerability, CVE-2018-14804, has been assigned the highest possible severity score (CVSS v.3 base score of 10.0). This flaw can be used to run a specially crafted script that allows arbitrary remote code execution.

The second vulnerability, CVE-2018-14808, enables non-administrative users to change executable and library files on affected products. A CVSS v.3 base score of 8.2 has been calculated for this vulnerability.

To address these vulnerabilities, the vendor recommends installing the relevant patches. Additionally, according to Emerson, CVE-2018-14808 cannot be exploited if application whitelisting is implemented, since it would prevent files from being overwritten.

Sources: ICS-CERT, Kaspersky Lab ICS CERT