Researchers Warn of Flaws in Widely Used Industrial Gas Analysis Equipment

Multiple security flaws have been disclosed in Emerson Rosemount gas chromatographs that could be exploited by malicious actors to obtain sensitive information, induce a denial-of-service (DoS) condition, and even execute arbitrary commands.

The flaws impact GC370XA, GC700XA, and GC1500XA and reside in versions 4.1.5 and prior.

According to operational technology (OT) security firm Claroty, the vulnerabilities include two command injection flaws and two separate authentication and authorization vulnerabilities that could be weaponized by unauthenticated attackers to perform a wide range of malicious actions ranging from authentication bypass to command injection.

“Successful exploitation of these vulnerabilities could allow an unauthenticated attacker with network access to run arbitrary commands, access sensitive information, cause a denial-of-service condition, and bypass authentication to acquire admin capabilities,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory released in January.

The chromatograph, which is used for carrying out critical gas measurements, can be configured and managed by means of a software called MON. The software can also be used to store critical data and generate reports such as chromatograms, alarm history, event logs, and maintenance logs.

Claroty’s analysis of the firmware and the proprietary protocol used for communications between the device and the Windows client named MON2020 has revealed the following shortcomings -

• CVE-2023-46687 (CVSS score: 9.8) - An unauthenticated user with network access could execute arbitrary commands in root context from a remote computer
• CVE-2023-49716 (CVSS score: 6.9) - An authenticated user with network access could run arbitrary commands from a remote computer
• CVE-2023-51761 (CVSS score: 8.3) - An unauthenticated user with network access could bypass authentication and acquire admin capabilities by resetting the associated password
• CVE-2023-43609 (CVSS score: 6.9) - An unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition

Following responsible disclosure, Emerson has released [PDF] an updated version of the firmware that addresses the vulnerabilities. The company is also recommending end users to follow cybersecurity best practices and ensure that the affected products are not directly exposed to the internet.

The disclosure comes as Nozomi Networks detailed several flaws in AiLux RTU62351B that could be abused to access sensitive resources on the device, alter its configuration, and even achieve execution of arbitrary commands as root. The vulnerabilities have been collectively dubbed I11USION.

Security flaws have also been identified in Proges Plus temperature monitoring devices and their associated software, namely Sensor Net Connect and Thermoscan IP, that could permit admin privileges over critical medical systems, thereby making it possible for a malicious actor to manipulate system settings, install malware, and exfiltrate data.

These vulnerabilities, which remain unpatched, could also result in a DoS condition of medical monitoring infrastructure, leading to spoilage of temperature-sensitive medicines and vaccines.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.