Emerson created a patch that mitigates two authorization vulnerabilities in its DeltaV application, according to a report on ICS-CERT.
These vulnerabilities came directly to Emerson by Kirill Nesterov, Alexander Tlyapov, Dmitry Nagibin, Alexey Osipov, and Timur Yunusov of Positive Technologies.
DeltaV Versions 10.3.1, 11.3, 11.3.1, and 12.3 suffer from the issues.
An attacker that has local access to the affected product may be able to read and replace configuration files and log into accounts for which they do not have the correct authorization. A successful exploit of these vulnerabilities is likely to cause a denial of service.
Emerson is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.
Emerson’s DeltaV is a general purpose process control system that sees use worldwide primarily in the oil and gas and chemical industries.
A local attacker with engineering level user privileges can read and replace DeltaV configuration files in the DeltaV directory.
CVE-2014-2349 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.2.
Several DeltaV service processes have diagnostic telnet ports using hardcoded credentials that an attacker could discover and use.
CVE-2014-2350 is the case number assigned to this vulnerability, which has a v2 base score of 2.4.
These vulnerabilities are not exploitable remotely and cannot end up leveraged without user interaction.
No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.
Emerson send out a notification (KBA NK-1400-0031) that provides details of the vulnerabilities, recommended mitigations, and instructions on obtaining and installing the patch. This document is available on Emerson’s support site to users who have support contracts with Emerson.