A hotfix is available to mitigate the multiple vulnerabilities in the Emerson DeltaV application, according to a report from ICS-CERT.
Researcher Kuang-Chun Hung of the Security Research and Service Institute–Information and Communication Security Technology Center (ICST), who found the holes, tested this hotfix and confirms it fully resolves the vulnerabilities.
“While no one enjoys having a security issue, Emerson appreciated working with the staff at ICS-CERT and the Taiwanese researcher in resolving these vulnerabilities in a professional manner,” said Jeff Potter, director — security architecture for PlantWeb Technology at Emerson. “ICS-CERT in turn indicated they were pleased with the diligence and timeliness of Emerson’s response.”
The following products suffer from the issues:
• DeltaV and DeltaV Workstations,
• V9.3.1, V10.3.1, V11.3, and V11.3.1,
• DeltaV ProEssentials Scientific Graph, and
These remotely exploitable vulnerabilities could allow denial of service, information disclosure, or remote code execution.
Emerson is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.
One of the vulnerabilities is a cross-site scripting issue, which can enable an attacker to inject client side script into web pages viewed by other users or bypass client side security mechanisms imposed by modern web browsers. If successfully exploited, this vulnerability could allow arbitrary code execution and may require social engineering to exploit. CVE-2012-1814 is the number assigned to this vulnerability, which has a CVSS V2 base score of 7.5.
Another bug is for SQL injection, which an attacker could use to perform database operations unintended by the web application designer and, in some instances, can lead to total compromise of the database server. This vulnerability, if successfully exploited, could allow arbitrary code execution. CVE-2012-1815 is the number assigned to this vulnerability, which also has a CVSS V2 base score of 7.5.
A denial of service can occur by sending a specially crafted packet to PORTSERV.exe on both TCP/111 and UDP/111. This attack will cause the software to crash, denying service to legitimate users. CVE-2012-1816 is the number assigned to this vulnerability, which has a CVSS V2 base score of 5.
One more vulnerability is a buffer overflow, which in the affected version, DeltaV does not properly sanitize the inputs from project files. Invalid information in certain fields can cause the program to crash and could execute arbitrary code. CVE-2012-1817 is the number assigned to this vulnerability, which has a CVSS V2 base score of 4.6.
File manipulation is another hole, where if successfully exploited, an attacker can overwrite arbitrary files on the victim’s computer in the context of the vulnerable application using the ActiveX control. CVE-2012-1818 is the number assigned to this vulnerability, which has a CVSS V2 base score of 7.5.
Right now, there are no known exploits specifically targeting these vulnerabilities. An attacker with a medium skill level would be able to exploit these vulnerabilities.
Emerson created a hotfix that resolves these vulnerabilities. Emerson has distributed a notification in KBA NK-1200-0091 ICS-CERT ADVISORY– ICSA-12-137-01 Emerson Multiple Vulnerabilities: Impact and Recommended Actions to customers who own a DeltaV Control System. The notification provides details of the vulnerabilities, recommended mitigations, and instructions on obtaining and installing the hotfix.