20 May 2020

KLCERT-20-011: Inadequate Encryption Strength in Emerson OpenEnterprise SCADA before 3.3.4

Vendor

Emerson

Timeline

Timeline

  • Kaspersky ICS CERT advisory published

    May 2020

  • Vendor advisory published

    May 2020

  • Patched

    May 2020

  • Vulnerability reported

    December 2019

Description

Inadequate Encryption Strength in Emerson OpenEnterprise SCADA versions before 3.3.4.

Exploitability

Local

Attack complexity

Low

User interaction

None

Impact

Inadequate encryption may allow the passwords for OpenEnterprise user accounts to be obtained.

Existence of exploit

PoC

Affected products

Emerson OpenEnterprise SCADA versions before 3.3.4.

Mitigation

Vendor mitigation

Emerson recommends all users upgrade your OpenEnterprise system to OpenEnterprise 3.3.5 (OpenEnterprise 3.3 Service Pack 5). All computers with OpenEnterprise installations must be upgraded.

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory published

    May 2020

  • Vendor advisory published

    May 2020

  • Patched

    May 2020

  • Vulnerability reported

    December 2019