Several Vulnerabilities Identified In Emerson OpenEnterprise

scada systems in oil gas industry

Recently four vulnerabilities were found in Emerson OpenEnterprise and were accounted for to the vendor in December 2019 with the patches released a couple of months later.

Roman Lozko, a researcher at Kaspersky’s ICS CERT unit, was responsible for the identification of the flaws, and the security holes found by him have been depicted as ‘heap-based cushion buffer, missing authentication, improper ownership management, and weak encryption issues.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Kaspersky published advisories for three of the vulnerabilities a week ago. The rest of the vulnerability was described by Kaspersky in a previous advisory.

As indicated by Emerson, OpenEnterprise is explicitly intended to address the prerequisites of associations focusing on oil and gas production, transmission, and distribution.

The initial two followed as CVE-2020-6970 and CVE-2020-10640 are depicted as critical, as they can allow an attacker to remotely execute discretionary code with ‘elevated privileges’ on devices running OpenEnterprise.

Vladimir Dashchenko, a security expert at Kaspersky, says an attacker could misuse these vulnerabilities either from the system or directly from the internet. Notwithstanding, there don’t give off an impression of being any occurrences of the affected product exposed to the internet.

“The most critical vulnerabilities allow remote attackers to execute any command on a computer with OpenEnterprise on it with system privileges, so this might lead to any possible consequences,”

 “Based on Shodan statistics, currently there are no directly exposed OpenEnterprise SCADA systems available,” Dashchenko explained. “It means that asset owners with installed OpenEnterprise are definitely following the basic security principles for industrial control systems.”

The rest of the vulnerabilities can be exploited to ‘escalate privileges’ and to acquire passwords for OpenEnterprise user accounts, yet exploitation in the two cases requires local access to the targeted system.

Original Source