Critical-Severity Flaws Expose Emerson Devices to Cyberattacks
Multiple critical vulnerabilities in Emerson gas chromatographs have been identified, posing a serious threat of cyberattacks that could lead to data breaches, denial-of-service attacks, and the execution of arbitrary commands. These vulnerabilities were discovered by security researchers at operational technology security firm Claroty’s Team82, highlighting the potential risks associated with these widely used devices.
Gas chromatographs play a crucial role in various industries, including chemical, environmental, and healthcare sectors, where they are used to analyze and separate chemical compounds. The Emerson Rosemount 370XA model, in particular, relies on a proprietary communication protocol to interact with technicians’ computers, making it vulnerable to exploitation.
The researchers identified four key vulnerabilities in the Emerson gas chromatographs, including two command injection flaws, an authentication bypass, and an authorization vulnerability. One of the command injection flaws received a critical severity score of 9.8 on the CVSS v3 scale, indicating the significant risk it poses to the security of these devices.
One of the vulnerabilities, tracked as CVE-2023-46687, involves an unauthenticated remote code execution or command injection flaw related to the “forced calibration” command type. This vulnerability allows attackers to inject arbitrary shell commands, potentially leading to the execution of malicious code on the targeted device.
Another vulnerability, tracked as CVE-2023-51761, is an authentication bypass that enables attackers to reset the administrator password by calculating a secret passphrase derived from the device’s MAC address. This flaw can grant unauthorized access to the device, compromising its security and confidentiality.
Additionally, the vulnerability tracked as CVE-2023-49716 allows unauthenticated users with network access to bypass authentication mechanisms and acquire administrator privileges, potentially leading to unauthorized control and manipulation of the device.
The final vulnerability, identified as CVE-2023-43609, involves a command injection flaw via the reboot functionality, which allows authenticated users with network access to execute arbitrary commands from a remote computer. This vulnerability could be exploited to launch further attacks or disrupt the normal operation of the device.
To address these vulnerabilities, Emerson has issued a security advisory recommending that end users update the firmware on the affected products. The Cybersecurity and Infrastructure Security Agency (CISA) has also released an advisory highlighting the risks associated with these flaws and providing guidance on mitigating the potential impact of these vulnerabilities.
In conclusion, the discovery of critical vulnerabilities in Emerson gas chromatographs underscores the importance of robust cybersecurity measures in protecting industrial control systems and critical infrastructure. By addressing these vulnerabilities promptly and implementing security best practices, organizations can enhance the resilience of their operational technology environments and safeguard against potential cyber threats.