Note: It’s been a busy week at my real job, so some stuff is being posted much later than normal.
On Thursday DHS ICS-CERT published an advisory for two vulnerabilities in the DeltaV product from Emerson. The vulnerabilities were reported to Emerson in a coordinated disclosure by a team (Kirill Nesterov, Alexander Tlyapov, Dmitry Nagibin, Alexey Osipov, and Timur Yunusov) from Positive Technologies. Emerson has produced a patch to mitigate the vulnerabilities, but there is no indication in the advisory if Positive Technologies has had a chance to validate the efficacy of the patch.
The two vulnerabilities are:
• Improper authorization - CVE-2014-2349;
• Hard-coded credentials - CVE-2014-2350.
ICS-CERT reports that a relatively unskilled attacker with local access and a successful social engineering attack could exploit these vulnerabilities to conduct a denial of service attack or read/replace configuration files, or log into accounts.
Emerson only releases their advisories to customers so no other information on this vulnerability is publicly available.