Emerson Updates RTU Mitigations

Wednesday, December 3, 2014 @ 04:12 PM gHale

There are new mitigation details for the multiple vulnerabilities affecting Emerson Process Management’s ROC800 remote terminal units (RTUs) products (ROC800, ROC800L, and DL8000), according to a report on ICS-CERT.

Researchers Dillon Beresford, Brian Meixell, Marc Ayala, and Eric Forner, formerly of Cimation, discovered the multiple vulnerabilities in the RTU products.

Elipse Fixes SCADA DNP3 DoS
Siemens Updates WinCC Fixes
MatrikonOPC Mitigates Vulnerability
Siemens Mitigates Critical Vulnerabilities

Emerson produced a patch that mitigates these vulnerabilities and the researchers tested the patch to validate that it resolves the remotely exploitable vulnerabilities.

The following Emerson Process Management RTUs suffer from the issue:
• ROC800 Version 3.50 and prior
• DL8000 Version 2.30 and prior
• ROC800L Version 1.20 and prior

An attacker who exploits these vulnerabilities could disable the device, compromise the device integrity, and remotely execute code on the target system.

Emerson Process Management is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.

The affected product, the ROC800 RTU, can perform many PLC-like functions for controlling devices. It sees wide use in oil and gas pipelines, but can also work as a general purpose controller in other applications. Emerson said these products see use primarily in the United States and Europe with a small percentage in Asia.

In the case of the ROC800 RTU, there are three separate hidden functionality vulnerabilities. Each of these hidden capabilities increases the attack surface for the device.

In one instance, the ROC800 RTU runs the ENEA OSE operating system. The kernel running on the ROC800 device broadcasts a network beacon allowing easier detection of the OSE Debug vulnerability. This vulnerability could end up remotely exploited.

CVE-2013-0693 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

Also, the ROC800 RTU kernel has a port available for attaching a debug tool. A device with a running debug service allows debuggers to attach and remotely debug code on the device and should only end up enabled on development systems and never on a production device. An attacker can remotely attach to the device and alter memory, registers, process states, and ultimately have full control of the device. This vulnerability is remotely exploitable.

CVE-2013-0692 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

In addition, a TFTP server is available on the ROC800 RTU. A TFTP service sees use for transferring files to a network attached device. The issue with the existence of this service is arbitrary files can potentially end up uploaded. This vulnerability is remotely exploitable.

CVE-2013-0689 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

Hard-coded accounts with passwords are in the ROC800 ROM. An attacker could have access to the operating system command shell and/or obtain authentication information for all ROC800 devices. These vulnerabilities are remotely exploitable.

CVE-2013-0694 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.0.

A TCP replay attack could end up executed on the ROC800 causing it to execute commands not intended by the user.

CVE-2013-2810 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

The best mitigation for these vulnerabilities is to install the vendor patch. The Emerson Process Management patch is available via the following web link which requires a user name and password.

Emerson identified and verified that a third-party secure router, the Moxa EDR-810, mitigates the identified vulnerabilities when used in combination with the ROC800 platform. Emerson said by adding the EDR-810 between the host and the field device it is virtually impossible for an attacker to eavesdrop on communications or falsify commands.

The EDR-810 is a highly integrated industrial multiport secure router with Firewall/NAT/VPN. The compatibility of the EDR-810 with the ROC800 platform underwent testing and verification by Emerson Remote Automation Solutions. Emerson determined the EDR-810 is suitable for field installation.

The EDR-810 uses IPSec server or client mode for encryption and authentication of all IP packets at the network layer to ensure confidentiality and sender authentication.

Click here for additional information about the Moxa EDR-810 secure router.

Leave a Reply

You must be logged in to post a comment.