During a security analysis, Positive Technologies specialists detected a critical security error in the Emerson DeltaV distributed control system. While having access to the system, an intruder is able to read and replace its configuration files, and to run commands with any user's rights. The vulnerability affects DeltaV versions 10.3.1, 11.3 and 12.3. Emerson’s DeltaV is a general purpose process control system that is used worldwide primarily in the oil and gas and chemical industries.
More information about the security error can be found in the CERT bulletin ICSA-14-133-02. The Positive Technologies experts Kirill Nesterov, Alexander Tlyapov, Dmitry Nagibin, Alexey Osipov and Timur Yunusov discovered the vulnerability.
Emerson issued a patch that mitigates errors and a notice, where information about the vulnerability and recommendations on removal of possible exploitation consequences can be found.
In addition, ICS-CERT specialists recommend Emerson DeltaV users to limit access to their networks from outside, protect the networks with firewalls and use secure protocols (for example, VPN) when set up a remote access.
Emerson is a global manufacturing and technology company offering multiple products and services in the industrial, commercial, and consumer markets through its network power, process management, industrial automation, climate technologies, and tools and storage businesses.
This is not the first time when Positive Technologies specialists have detected critical vulnerabilities in production systems. Previously, Siemens released several patches to fix a number of serious vulnerabilities in certain systems, including ICS (development tools and HMI). Moreover, Positive Technologies experts helped to fix high-risk vulnerabilities in Wonderware Information Server by Invensys, which is a part of a unified solution for building SCADA and HMI systems.