Emerson Fixes SQL Injection Issue

Friday, May 22, 2015 @ 02:05 PM gHale

Emerson Process Management created a patch that mitigates a SQL injection vulnerability in its AMS Device Manager application, according to a report on ICS-CERT.

AMS Device Manager, V12.5 and earlier suffers from the issue.

OleumTech Fixes WIO Family Holes
More Holes Filled in Healthcare System
OSIsoft Fixes Permissions Hole
Rockwell Patches RSLinx Classic Bug

The vulnerability allows privilege escalation by an anonymous user that can result in access to administrative functions of the application.

Emerson Process Management is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.

Emerson AMS Device Manager is a software package used to monitor and manage the status of field devices. Emerson reports the software sees use worldwide primarily in the oil and gas and chemical industries.

To be able to exploit the SQL injection vulnerability, an attacker must supply malformed input to the AMS Device Manager software. Successful attack results in administrative access to the application and its data files but not to the underlying computer system.

CVE-2015-1008 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

This vulnerability is not exploitable remotely and cannot end up exploited without user interaction.

No known public exploits specifically target this vulnerability and an attacker with medium skill would be able to exploit this vulnerability.

Emerson recommends that systems using the AMS Device Manager application take the following steps soon to eliminate exposure to this vulnerability:

AMS Device Manager application v12.5

Apply the patch according to the instructions in Knowledge Base Article NK-1400-0504 (login required), upgrade to v13, or apply the workaround below:

Versions prior to AMS Device Manager v12.5

The AMS Device Manager software can end up configured to add another user (e.g., ADMIN1) with full administrative privileges and make the default administrative user have read-only privileges.

Please see DeltaV PSIRT advisory notification DSN15003-2 for more details on this issue.

Leave a Reply

You must be logged in to post a comment.