Today the DHS ICS-CERT published a control system advisory for Emerson Process Management RTUs for multiple vulnerabilities. The vulnerabilities were reported by Dillon Beresford, Brian Meixell, Marc Ayala, and Eric Forner of Cimation in a coordinated disclosure. ICS-CERT reports that Emerson has developed a patch that has been validated by the Cimation researchers.
ICS-CERT reports that there are three separate hidden functionality vulnerabilities and a hard-coded credential vulnerability. The four vulnerabilities are:
• OSE debug broadcast, CVE-2013-0693;
• OSE debug service, CVE-2013-0692;
• TFTP server, CVE-2013-0689; and
• Use of hardcoded credentials, CVE-2013-0694.
NOTE: The CVE links will be functional in the near future.
The advisory notes that each of these vulnerabilities are remotely exploitable and would allow a relatively low skilled attacker to execute arbitrary code and gain full control of the device. These are all serious vulnerabilities; the lowest CVSS v2 base score is 9.0.
Organizations with a large number of these RTUs, particularly those in distribution systems, will have a large degree of difficulty in patching all of the affected devices in a timely manner and their systems will remain vulnerable until all RTUs are patched.