Today the DHS ICS-CERT published three control system security advisories for three products from Emerson. I’m also reporting an update for a previously published advisory for a product from Schneider; the update was published last week.
DeltaV Wireless I/O Card Advisory
This advisory describes an open SSH port vulnerability in the Emerson DeltaV Wireless I/O Card. The vulnerability is apparently self-reported. Emerson has produced a firmware update to mitigate the vulnerability.
ICS-CERT reports that it would be difficult to develop a working exploit of this vulnerability, but it could be remotely exploited to access the file system of devices using the affected product.
DeltaV Easy Security Management Advisory
This advisory describes an improper privilege management vulnerability in the Emerson DeltaV Easy Security Management application. Apparently, this is a self-reported vulnerability. Emerson is discontinuing support for this application.
ICS-CERT reports that local network access is required to exploit this vulnerability, but that constructing an exploit would be difficult. A successful exploit would allow an attacker to elevate privileges within a DeltaV control system.
Liebert SiteScan Advisory
This advisory describes an XML external entity vulnerability in the Emerson Liebert SiteScan application. The vulnerability was reported by Evgeny Ermakov from Positive Technologies. Emerson has produced patches to mitigate the vulnerability.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability, which may lead to the disclosure of confidential data, denial of service (DoS), server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
This update provides additional information about what versions affected by these vulnerabilities require a re-boot to recover from the denial of service. It also provides a link to the Schneider security notice that I mentioned.