Emerson Issues Controller Hotfix

Thursday, March 7, 2013 @ 05:03 PM gHale

Emerson released a hotfix that mitigates an uncontrolled resource consumption vulnerability on the DeltaV MD and SD controllers, according to a report on ICS-CERT.

This vulnerability, discovered by researcher Joel Langill, can lead to a denial of service (DoS). Exploitation of this vulnerability could cause loss of availability.

Mitigation for Emergency Broadcast System
Report: Holes Not Vulnerabilities After All
Schneider Faces Product Bugs
Mitigation for Enterprise Buildings Integrator

The following products suffer from the issue:
• DeltaV SE3006 SD Plus Controller Version 11.3.1 and earlier,
• DeltaV VE3005 Controller MD Hardware Version 10.3.1 and earlier,
• DeltaV VE3005 Controller MD Hardware Version 11.3.1 and earlier,
• DeltaV VE3006 Controller MD PLUS Hardware Version 10.3.1 and earlier, and
• DeltaV VE3006 Controller MD PLUS Hardware Version 11.3.1 and earlier.

Successful exploitation of this vulnerability also affects process controls as the controller restarts.

Emerson is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.

Emerson’s DeltaV is a general purpose process control system used worldwide primarily in the oil and gas and chemical industries.

Publicly available network mapping tools can produce a list of available ports including 23/tcp, 513/tcp, and 161/udp. Sending a specially crafted packet to these ports could result in a restart of the controller causing a DoS.

CVE-2012-4703 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.1. This vulnerability can be exploited using commonly available network mapping tools. This vulnerability is not exploitable remotely.

Public exploits may exist that could target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.

A customer notification will go out to customers who own a DeltaV control system. The notification provides details of the vulnerability, recommended mitigations, and instructions on obtaining and installing the hotfix.

Emerson recommends customers using DeltaV v7.x, v8.x, v9.3.x, v10.3, and v11.3 or earlier update to DeltaV v10.3.1 or v11.3.1 or install the DeltaV Controller Firewall to mitigate this vulnerability. Users can obtain the customer notification by contacting their Emerson sales office.

Emerson said — and confirmed by Joel Langill — the DeltaV Controller Firewall mitigates this vulnerability. However, Emerson recommends all users install the hotfix.

Leave a Reply

You must be logged in to post a comment.