Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Flaws in Emerson Workstations Allow Lateral Movement

Researchers working for two industrial cybersecurity firms have discovered several critical and high severity vulnerabilities in Emerson DeltaV DCS Workstations. The vendor has released patches that should resolve the flaws.

Researchers working for two industrial cybersecurity firms have discovered several critical and high severity vulnerabilities in Emerson DeltaV DCS Workstations. The vendor has released patches that should resolve the flaws.

Emerson DeltaV Workstations are purpose-built computers specifically designed to run DeltaV applications. According to ICS-CERT, these systems are used worldwide, mainly in the chemical and energy sectors.

An advisory published last week by ICS-CERT reveals that DeltaV DCS Workstation versions 11.3.1, 12.3.1, 13.3.0, 13.3.1 and R5 are impacted by four serious vulnerabilities.

The security holes were discovered by Nozomi Networks and one of them was independently identified by Ori Perez, security researcher at CyberX.DeltaV Workstation vulnerabilities

The most serious of the flaws, based on its CVSS score, is CVE-2018-14793, a stack-based buffer overflow that can be exploited for arbitrary code execution via an open communication port.

Also highly severe is the vulnerability discovered by Perez, CVE-2018-14795, which ICS-CERT described as an improper path validation issue that may allow an attacker to replace executable files.

“We were able to analyze the protocol and issue specially crafted commands in order to achieve remote code execution using that vulnerability,” CyberX VP of Research David Atch told SecurityWeek. “The vulnerability is a result of a coding error, which means that default Windows security mechanisms such as ASLR and DEP won’t prevent the remote code execution.”

The two other flaws, also classified as “high severity,” are a DLL hijacking issue that can lead to arbitrary code execution (CVE-2018-14797), and a vulnerability that allows non-admin users to change executable and library files on the affected workstations (CVE-2018-14791).

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

Advertisement. Scroll to continue reading.

Exploiting these security holes can allow an attacker to move laterally within the targeted network and possibly take control of other DeltaV workstations, CyberX and Nozomi told SecurityWeek. However, there is currently no evidence of public exploits specifically targeting these flaws.

Exploitation of the vulnerabilities requires access to the targeted workstation, either over the local network or the Internet. However, CyberX says it has not seen any DeltaV workstations directly accessible from the Web.

Moreno Carullo, co-founder and chief technical officer at Nozomi, pointed out that the notorious Triton/Trisis malware also first targeted a workstation.

Emerson has provided patches for each of the affected DeltaV Workstation versions. The company also noted that application whitelisting can block exploitation of most of these flaws as it would prevent files from being overwritten.

“To limit exposure to these and other vulnerabilities, Emerson recommends deploying and configuring DeltaV systems and related components as described in the DeltaV Security Manual, which is available in Emerson’s Guardian Support Portal,” ICS-CERT said in its advisory.

Related: Emerson Patches Severe Flaw in ControlWave Controllers

Related: Flaws Found in Emerson DeltaV, Liebert Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.