Emerson Patches RTU Holes

Friday, September 27, 2013 @ 02:09 PM gHale


Emerson Process Management created a patch that mitigates multiple vulnerabilities in its ROC800 RTU products, according to a report on ICS-CERT.

Researchers Dillon Beresford, Brian Meixell, Marc Ayala, and Eric Forner of Cimation, who discovered the holes, tested the patch to validate it resolves the remotely exploitable vulnerabilities.

RELATED STORIES
Schneider Continues Quantum Fixes
Mitsubishi ActiveX Control Bug
WellinTech KingView Vulnerabilities
SUBNET Solutions Fixes Software Bug

The following Emerson Process Management RTUs are affected:
• ROC800 Version 3.50 and prior,
• DL8000 Version 2.30 and prior, and
• ROC800L Version 1.20 and prior.

An attacker who exploits these vulnerabilities could disable the device, compromise the device integrity, and remotely execute code on the target system, according to the ICS-CERT report.

Emerson Process Management is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.

The product, the ROC800 RTU, can perform many PLC-like functions for controlling devices. It sees wide usage in oil and gas pipelines, but can also work as a general purpose controller in other applications. Emerson Process Management estimates these products primarily see use in the United States and Europe with a small percentage in Asia.

In the case of the ROC800 RTU, there are three separate hidden functionality vulnerabilities. Each of these hidden capabilities increases the attack surface for the device that an attacker could exploit.

The ROC800 RTU runs the ENEA OSE operating system. The kernel running on the ROC800 device broadcasts a network beacon allowing easier detection of the OSE Debug vulnerability. CVE-2013-0693 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.

The ROC800 RTU kernel has a port available for attaching a debug tool. A device with a running debug service allows debuggers to attach and remotely debug code on the device and is intended to be enabled, only on development systems and never on a production device. An attacker can remotely attach to the device and alter memory, registers, process states, and ultimately have full control of the device.

CVE-2013-0692 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.

A TFTP server is available on the ROC800 RTU. A TFTP service transfers files to a network attached device. The issue with the existence of this service is an attacker could potentially upload arbitrary files.

CVE-2013-0689 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.

Hard-coded accounts with passwords are in the ROC800 ROM. An attacker could have access to the operating system command shell and/or obtain authentication information for all ROC800 devices.

CVE-2013-0694 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.

There are no known public exploits specifically targeting these vulnerabilities and an attacker with a low skill would be able to exploit these vulnerabilities.

The best mitigation for these vulnerabilities is to install the vendor patch. Click here for the Emerson Process Management patch. The user will have to include their user name and password.



Leave a Reply

You must be logged in to post a comment.