Saturday, May 24, 2014

ICS-CERT Publishes Emersion Advisory

Note: It’s been a busy week at my real job, so some stuff is being posted much later than normal.

On Thursday DHS ICS-CERT published an advisory for two vulnerabilities in the DeltaV product from Emerson. The vulnerabilities were reported to Emerson in a coordinated disclosure by a team (Kirill Nesterov, Alexander Tlyapov, Dmitry Nagibin, Alexey Osipov, and Timur Yunusov) from Positive Technologies. Emerson has produced a patch to mitigate the vulnerabilities, but there is no indication in the advisory if Positive Technologies has had a chance to validate the efficacy of the patch.

The two vulnerabilities are:

• Improper authorization - CVE-2014-2349;
• Hard-coded credentials - CVE-2014-2350.

ICS-CERT reports that a relatively unskilled attacker with local access and a successful social engineering attack could exploit these vulnerabilities to conduct a denial of service attack or read/replace configuration files, or log into accounts.

Emerson only releases their advisories to customers so no other information on this vulnerability is publicly available.

No comments:

/* Use this with templates/template-twocol.html */