Emerson DeltaV DCS Workstations fixed several vulnerabilities recently, including path traversal, privilege escalation, stack-based buffer overflow, etc. The highest CVSS 3.0 base score is 9.6. Emerson has released patches to address these problems.
For detailed information, please visit: https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01
Description
- CVE-2018-14797
CVSS v3: 8.2
A specially crafted DLL file may be placed in the search path and loaded as an internal and valid DLL, which may allow arbitrary code execution.
- CVE-2018-14795
CVSS v3: 8.8
Improper path validation may allow attackers to replace executable files.
- CVE-2018-14791
CVSS v3: 8.2
Non-administrative users are allowed to change executable and library files on the affected products.
- CVE-2018-14793
CVSS v3: 9.6
An open communication port could be exploited for arbitrary code execution.
Affected Versions
- DeltaV: v11.3.1, v12.3.1, v13.3.0, v13.3.1, R5
Solution
Software patches are available to users with access to the Guardian Support Portal at https://guardian.emersonprocess.com/
