Emerson Ovation OCR400 Controller Heap-Based Buffer Overflow (CVE-2019-10965)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(502360);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/04");

  script_cve_id("CVE-2019-10965");
  script_xref(name:"ICSA", value:"19-148-01");

  script_name(english:"Emerson Ovation OCR400 Controller Heap-Based Buffer Overflow (CVE-2019-10965)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a heap-based
buffer overflow vulnerability in the embedded third-party FTP server
involves improper handling of a long command to the FTP service, which
may cause memory corruption that halts the controller or leads to
remote code execution and escalation of privileges.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-19-148-01");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Emerson is issuing a notice to its customer base with mitigation recommendations, encouraging users with this older
software to upgrade to a more current version supported by Emerson and the third-party vendor.

For users with installations of the affected versions, Emerson recommends following the instructions outlined in Step 1
and Step 2 (below) to determine whether communication services (including FTP) have been enabled. If communication
services have been enabled, Emerson recommends users return FTP services to their default (disabled) state as soon as is
practical. If users are unable to make controller changes or disable communication services per the instructions below,
they are strongly encouraged to restrict FTP communications to the required database and controller drops only. Review
Ovation Software and Hardware

Step 1 – Check the Ovation Controller Type

In Ovation Developer Studio, right-click on each controller object, select “Open” and review the “Controller Type”
listed. Alternately, run a System Registration report and verify the “Model” for each controller.

- OCR400: The controller is potentially affected; continue with Step 2 (below)
- OCR161: The controller is not affected by the vulnerabilities detailed in this advisory, and can be disregarded

Step 2 – Check the Ovation Software Version

Ovation v3.0.4 and older

FTP services cannot be disabled using the Communications Services configuration detailed below. Emerson recommends users
of retired systems, including Ovation v3.3.1 and older, consider upgrading to a more current version in which these
issues do not exist.

However, separate mitigation involving network configuration may still be possible. Please refer to the “Review Ovation
Highway Switch Configuration” section (below).

Ovation v3.1.0 – v3.3.1

Follow the “Determine Current State of Communications Services” (below).

Ovation v3.5.0 and Newer

FTP communications services cannot be enabled. This advisory does not apply to those versions.

Determine Current State of Communication Services

Two methods exist for checking the current state of controller communication services:");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-10965");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(787);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/08/08");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:emerson:ovation_ocr400_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Emerson");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Emerson');

var asset = tenable_ot::assets::get(vendor:'Emerson');

var vuln_cpes = {
    "cpe:/o:emerson:ovation_ocr400_firmware" :
        {"versionEndIncluding" : "3.3.1", "family" : "Ovation"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);