CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a heap-based buffer overflow vulnerability in the embedded third-party FTP server involves improper handling of a long command to the FTP service, which may cause memory corruption that halts the controller or leads to remote code execution and escalation of privileges.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(502360);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/04");
script_cve_id("CVE-2019-10965");
script_xref(name:"ICSA", value:"19-148-01");
script_name(english:"Emerson Ovation OCR400 Controller Heap-Based Buffer Overflow (CVE-2019-10965)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a heap-based
buffer overflow vulnerability in the embedded third-party FTP server
involves improper handling of a long command to the FTP service, which
may cause memory corruption that halts the controller or leads to
remote code execution and escalation of privileges.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-19-148-01");
script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.
Emerson is issuing a notice to its customer base with mitigation recommendations, encouraging users with this older
software to upgrade to a more current version supported by Emerson and the third-party vendor.
For users with installations of the affected versions, Emerson recommends following the instructions outlined in Step 1
and Step 2 (below) to determine whether communication services (including FTP) have been enabled. If communication
services have been enabled, Emerson recommends users return FTP services to their default (disabled) state as soon as is
practical. If users are unable to make controller changes or disable communication services per the instructions below,
they are strongly encouraged to restrict FTP communications to the required database and controller drops only. Review
Ovation Software and Hardware
Step 1 â Check the Ovation Controller Type
In Ovation Developer Studio, right-click on each controller object, select âOpenâ and review the âController Typeâ
listed. Alternately, run a System Registration report and verify the âModelâ for each controller.
- OCR400: The controller is potentially affected; continue with Step 2 (below)
- OCR161: The controller is not affected by the vulnerabilities detailed in this advisory, and can be disregarded
Step 2 â Check the Ovation Software Version
Ovation v3.0.4 and older
FTP services cannot be disabled using the Communications Services configuration detailed below. Emerson recommends users
of retired systems, including Ovation v3.3.1 and older, consider upgrading to a more current version in which these
issues do not exist.
However, separate mitigation involving network configuration may still be possible. Please refer to the âReview Ovation
Highway Switch Configurationâ section (below).
Ovation v3.1.0 â v3.3.1
Follow the âDetermine Current State of Communications Servicesâ (below).
Ovation v3.5.0 and Newer
FTP communications services cannot be enabled. This advisory does not apply to those versions.
Determine Current State of Communication Services
Two methods exist for checking the current state of controller communication services:");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-10965");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(787);
script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/28");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/28");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/08/08");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:emerson:ovation_ocr400_firmware");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Emerson");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Emerson');
var asset = tenable_ot::assets::get(vendor:'Emerson');
var vuln_cpes = {
"cpe:/o:emerson:ovation_ocr400_firmware" :
{"versionEndIncluding" : "3.3.1", "family" : "Ovation"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H