Researchers have identified a wide range of vulnerabilities in remote terminal units manufactured by Emerson Process Management that are widely used in oil and gas pipelines and other applications.
The vulnerabilities include a number of hidden functions in the RTUs, an authentication bypass and hardcoded credentials. All of the vulnerabilities are remotely exploitable and an attacker would be able to execute arbitrary code on target devices.
“An attacker who exploits these vulnerabilities could disable the device, compromise the device integrity, and remotely execute code on the target system,” an advisory from ICS-CERT says.
“The affected product, the ROC800 RTU, can perform many PLC-like functions for controlling devices. It is widely used in oil and gas pipelines, but can also be used as a general purpose controller in other applications. Emerson Process Management estimates that these products are used primarily in the United States and Europe with a small percentage in Asia.”
All of the flaws in the Emerson products are serious, but perhaps the most worrisome is the existence of the hardcoded credentials.
“Hard-coded accounts with passwords have been discovered in the ROC800 ROM. An attacker could have access to the operating system command shell and/or obtain authentication information for all ROC800 devices. These vulnerabilities could be exploited remotely,” the advisory says.
Emerson has issued a patch for all of the vulnerabilities except for the authentication bypass. For that bug, the company is suggesting that customers install a secure router in front of the vulnerable products.
“Emerson has identified and verified that a third-party secure router, the Moxa EDR-810, mitigates the identified vulnerabilities when used in combination with the ROC800 platform. At this time, Emerson recommends that concerned asset owners install the EDR 810 between the host and the field device to mitigate this vulnerability,” the advisory says.