Researchers working for two industrial cybersecurity firms have discovered several critical and high severity vulnerabilities in Emerson DeltaV DCS Workstations. The vendor has released patches that should resolve the flaws.
Emerson DeltaV Workstations are purpose-built computers specifically designed to run DeltaV applications. According to ICS-CERT, these systems are used worldwide, mainly in the chemical and energy sectors.
An advisory published last week by ICS-CERT reveals that DeltaV DCS Workstation versions 11.3.1, 12.3.1, 13.3.0, 13.3.1 and R5 are impacted by four serious vulnerabilities.
The security holes were discovered by Nozomi Networks and one of them was independently identified by Ori Perez, security researcher at CyberX.
The most serious of the flaws, based on its CVSS score, is CVE-2018-14793, a stack-based buffer overflow that can be exploited for arbitrary code execution via an open communication port.
Also highly severe is the vulnerability discovered by Perez, CVE-2018-14795, which ICS-CERT described as an improper path validation issue that may allow an attacker to replace executable files.
“We were able to analyze the protocol and issue specially crafted commands in order to achieve remote code execution using that vulnerability,” CyberX VP of Research David Atch told SecurityWeek. “The vulnerability is a result of a coding error, which means that default Windows security mechanisms such as ASLR and DEP won’t prevent the remote code execution.”
The two other flaws, also classified as “high severity,” are a DLL hijacking issue that can lead to arbitrary code execution (CVE-2018-14797), and a vulnerability that allows non-admin users to change executable and library files on the affected workstations (CVE-2018-14791).
Register for SecurityWeek’s 2018 ICS Cyber Security Conference
Exploiting these security holes can allow an attacker to move laterally within the targeted network and possibly take control of other DeltaV workstations, CyberX and Nozomi told SecurityWeek. However, there is currently no evidence of public exploits specifically targeting these flaws.
Exploitation of the vulnerabilities requires access to the targeted workstation, either over the local network or the Internet. However, CyberX says it has not seen any DeltaV workstations directly accessible from the Web.
Moreno Carullo, co-founder and chief technical officer at Nozomi, pointed out that the notorious Triton/Trisis malware also first targeted a workstation.
Emerson has provided patches for each of the affected DeltaV Workstation versions. The company also noted that application whitelisting can block exploitation of most of these flaws as it would prevent files from being overwritten.
“To limit exposure to these and other vulnerabilities, Emerson recommends deploying and configuring DeltaV systems and related components as described in the DeltaV Security Manual, which is available in Emerson’s Guardian Support Portal,” ICS-CERT said in its advisory.
Related: Emerson Patches Severe Flaw in ControlWave Controllers
Related: Flaws Found in Emerson DeltaV, Liebert Products

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
Latest News
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- Microsoft Will Pay $20M to Settle US Charges of Illegally Collecting Children’s Data
- KeePass Update Patches Vulnerability Exposing Master Password
