01 March 2019

KLCERT-19-001: DeltaV Authentication Bypass

Vendor

Emerson

Researcher

Alexander Nochvay, Kaspersky ICS CERT

Timeline

Timeline

  • Kaspersky ICS CERT advisory updated

    26 January 2024

  • Kaspersky ICS CERT advisory published

    01 March 2019

  • Patch released

    January 2019

  • Vendor notifies that fix is going to be released

    September 2018

  • Vulnerabilities reported

    15 June 2016

Description

An attacker with network access to the affected distributed control system (DCS) workstation can bypass the authentication of a maintenance port via brute-force, because number of login attempts is not limited. Having access to a maintenance port, the attacker can cause a denial-of-service condition.

Exploitability

Remotely

Attack complexity

Low

User interaction

None

Impact

A remote attacker can bypass authentication in DeltaV and expand attack surface.

Existence of exploit

PoC

Affected products

DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior.

Mitigation

Vendor mitigation

Apply patch from Emerson Guardian Support portal.

KL ICS CERT mitigation

Set up the border firewall (or a similar network traffic control solution) to allow only authorized parties to send traffic to ports 705/TCP, 706/TCP, 709/TCP, 750/TCP and 751/TCP of the system.

Kaspersky Lab publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky Lab does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory updated

    26 January 2024

  • Kaspersky ICS CERT advisory published

    01 March 2019

  • Patch released

    January 2019

  • Vendor notifies that fix is going to be released

    September 2018

  • Vulnerabilities reported

    15 June 2016