Emerson has updates available to handle missing authentication for critical function and insufficient verification of data authenticity vulnerabilities in its Ovation, according to a report with CISA.

CISA is aware of a public report, known as “OT:ICEFALL”, detailing vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

Daniel dos Santos and Jos Wetzels from Forescout Technologies reported these vulnerabilities.

Successful exploitation of these remotely exploitable vulnerabilities could allow remote code execution, loss of sensitive information, denial-of-service, or allow an attacker to modify the controller configuration.

The following Emerson products suffer from the vulnerabilities: Ovation, version 3.8.0 Feature Pack 1 and prior.

Schneider Bold

In one vulnerability, the affected product has several protocols that have no authentication, which could allow an attacker to change controller configuration or cause a denial-of-service condition.

CVE-2022-29966 is the case number for this vulnerability, which has a CVSS v3.1 base score of 9.8. There is also a CVSS v4 base score of 9.3.

In addition, the affected product has no authentication of firmware signing and relies on an insecure checksum for integrity. This could allow an attacker to push malicious firmware images, cause a denial-of-service condition, or achieve remote code execution.

CVE-2022-30267 is the case number for this vulnerability, which has a CVSS v3.1 base score of 9.1. There is also a CVSS v4 base score of 8.7.

The product sees use mainly in the energy sector, and on a global basis.

No known exploit specifically targets these vulnerabilities. However, an attacker could leverage these low complexity vulnerabilities.

Emerson recommends the following:

  • Upgrade to the currently available release of Ovation 3.8.0 Feature Pack 3 for remediation of many of the identified vulnerabilities.
  • Users should consider the use of OCR3000 controllers, which offer an extra layer of protection that is not available to older controller models.
  • Deploy and configure Ovation systems and related components as described in the Cybersecurity for Ovation Systems manual (OVREF1000). Ovation Users’ Group Website (User Manuals | Reference Manuals) (login required). 
  • Users with questions or concerns regarding the impact of these vulnerabilities on Ovation should email the Ovation-CERT or phone (1-800-445-9723, option 3). 

Pin It on Pinterest

Share This