Flaws in Emerson Workstations Allow Lateral Movement
21.8.18 securityweek ICS
Researchers working for two industrial cybersecurity firms have discovered several critical and high severity vulnerabilities in Emerson DeltaV DCS Workstations. The vendor has released patches that should resolve the flaws.
Emerson DeltaV Workstations are purpose-built computers specifically designed to run DeltaV applications. According to ICS-CERT, these systems are used worldwide, mainly in the chemical and energy sectors.
An advisory published last week by ICS-CERT reveals that DeltaV DCS Workstation versions 11.3.1, 12.3.1, 13.3.0, 13.3.1 and R5 are impacted by four serious vulnerabilities.
The security holes were discovered by Nozomi Networks and one of them was independently identified by Ori Perez, security researcher at CyberX.DeltaV Workstation vulnerabilities
The most serious of the flaws, based on its CVSS score, is CVE-18-14793, a stack-based buffer overflow that can be exploited for arbitrary code execution via an open communication port.
Also highly severe is the vulnerability discovered by Perez, CVE-18-14795, which ICS-CERT described as an improper path validation issue that may allow an attacker to replace executable files.
“We were able to analyze the protocol and issue specially crafted commands in order to achieve remote code execution using that vulnerability,” CyberX VP of Research David Atch told SecurityWeek. “The vulnerability is a result of a coding error, which means that default Windows security mechanisms such as ASLR and DEP won't prevent the remote code execution.”
The two other flaws, also classified as “high severity,” are a DLL hijacking issue that can lead to arbitrary code execution (CVE-18-14797), and a vulnerability that allows non-admin users to change executable and library files on the affected workstations (CVE-18-14791).
Exploiting these security holes can allow an attacker to move laterally within the targeted network and possibly take control of other DeltaV workstations, CyberX and Nozomi told SecurityWeek. However, there is currently no evidence of public exploits specifically targeting these flaws.
Exploitation of the vulnerabilities requires access to the targeted workstation, either over the local network or the Internet. However, CyberX says it has not seen any DeltaV workstations directly accessible from the Web.
Moreno Carullo, co-founder and chief technical officer at Nozomi, pointed out that the notorious Triton/Trisis malware also first targeted a workstation.
Emerson has provided patches for each of the affected DeltaV Workstation versions. The company also noted that application whitelisting can block exploitation of most of these flaws as it would prevent files from being overwritten.
“To limit exposure to these and other vulnerabilities, Emerson recommends deploying and configuring DeltaV systems and related components as described in the DeltaV Security Manual, which is available in Emerson’s Guardian Support Portal,” ICS-CERT said in its advisory.