Emerson has a patch that addresses improper access control and improper privilege management vulnerabilities in its AMS Device Manager, according to a report with NCCIC.
Successful exploitation of these vulnerabilities, discovered by Sergey Temnikov of Kaspersky Lab and Emerson, could allow arbitrary remote code execution and malware injection.
An asset management system, AMS Device Manager: v12.0 to v13.5 suffer from the remotely exploitable vulnerabilities.
In one vulnerability, a specially crafted script may be run that allows arbitrary remote code execution.
CVE-2018-14804 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.0.
In addition, in the other issue, non-administrative users are able to change executable and library files on the affected products.
CVE-2018-14808 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.2.
The product sees use mainly in the chemical and energy sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Emerson recommends users patch the affected products listed below:
AMS Device Manager: v12.0 to v13.5 Software patches are available to users with access to the Guardian Support Portal.
Please refer to the Knowledge Base Articles for AMS NK-1700-0324, NK-1700-0252 and DeltaV NK-1800-0880 (DSN 18006) for more information.
Vulnerability CVE-2018-14808 cannot be exploited if application whitelisting is implemented since it would prevent files from being overwritten.
To limit exposure to these and other vulnerabilities, Emerson recommends deploying and configuring AMS Device Manager as described in the AMS Device Manager Installation Guide which is available in Emerson’s Guardian Support Portal.