Today the DHS ICS-CERT published a control system advisory
for Emerson Process Management RTUs for multiple vulnerabilities. The
vulnerabilities were reported by Dillon Beresford, Brian Meixell, Marc Ayala,
and Eric Forner of Cimation in a coordinated disclosure. ICS-CERT reports that
Emerson has developed a patch that has been validated by the Cimation
researchers.
ICS-CERT reports that there are three separate hidden
functionality vulnerabilities and a hard-coded credential vulnerability. The
four vulnerabilities are:
• OSE debug broadcast, CVE-2013-0693;
• OSE debug service, CVE-2013-0692;
• TFTP server, CVE-2013-0689;
and
• Use of hardcoded credentials, CVE-2013-0694.
NOTE: The CVE links will be functional in the near future.
The advisory notes that each of these vulnerabilities are
remotely exploitable and would allow a relatively low skilled attacker to
execute arbitrary code and gain full control of the device. These are all
serious vulnerabilities; the lowest CVSS v2 base score is 9.0.
Organizations with a large number of these RTUs,
particularly those in distribution systems, will have a large degree of
difficulty in patching all of the affected devices in a timely manner and their
systems will remain vulnerable until all RTUs are patched.
Posts
No comments:
Post a Comment