Emerson has a patch to handle an authentication bypass vulnerability in its DeltaV Distributed Control System workstations, according to a report with NCCIC.
Successful exploitation of this vulnerability could allow an attacker to shut down a service, resulting in a denial of service.
DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior suffer from the vulnerability, discovered by Alexander Nochvay of Kaspersky Lab.
A specially crafted script could bypass the authentication of a maintenance port of a service, which may allow an attacker to cause a denial of service.
CVE-2018-19021 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
The product sees use in the chemical, critical manufacturing, and energy sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. This vulnerability is exploitable from an adjacent network. However, an attacker with low skill level could leverage the vulnerability.
Emerson recommends users to patch affected products listed below:
• DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, and R6
Software patches are available to users with access to the Emerson Guardian Support Portal.
For more information, refer to the article for this vulnerability on the Emerson website.
To limit exposure to these and other vulnerabilities, Emerson recommends DeltaV systems and related components be deployed and configured as described in the DeltaV Security Manual which can be found in Emerson’s Guardian Support Portal.