Full Report
An attacker with network access to the affected distributed control system (DCS) workstation can bypass the authentication of a maintenance port via brute-force, because number of login attempts is not limited. Having access to a maintenance port, the attacker can cause a denial-of-service condition.
Analysis Summary
# Vulnerability: DeltaV Maintenance Port Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2018-19021
- **CVSS Score:** 8.6 (High) - *Note: Based on the vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H provided in the source.*
- **CWE:** CWE-307 (Improper Restriction of Excessive Authentication Attempts)
## Affected Systems
- **Products:** Emerson DeltaV Distributed Control System (DCS)
- **Versions:** 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6, and prior versions.
- **Configurations:** Systems where maintenance ports are accessible over the network.
## Vulnerability Description
A vulnerability exists in the authentication mechanism of the maintenance ports used by DeltaV workstations. The system fails to limit the number of failed login attempts, enabling a remote attacker to perform a brute-force attack. Successful authentication bypass allows the attacker to access maintenance functions, which can be leveraged to cause a Denial-of-Service (DoS) condition on the DCS workstation.
## Exploitation
- **Status:** PoC available (Verification of exploitability exists).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Low (Access to maintenance port data).
- **Integrity:** Low (Potential for unauthorized configuration changes).
- **Availability:** High (Ability to trigger a Denial-of-Service condition).
## Remediation
### Patches
- Emerson released a patch in January 2019. Users should log into the **Emerson Guardian Support portal** to download and apply the specific update for their version.
### Workarounds
- Protect vulnerable workstations by implementing strict network segmentation.
- Use a border firewall or industrial security appliance to restrict access to the following ports:
- **705/TCP**
- **706/TCP**
- **709/TCP**
- **750/TCP**
- **751/TCP**
## Detection
- **Indicators of Compromise:** Monitor network logs for an unusually high frequency of connection attempts or authentication failures on the TCP ports listed above.
- **Detection Methods:** Deploy Intrusion Detection System (IDS) signatures designed to catch brute-force patterns targeting DeltaV maintenance services.
## References
- **Kaspersky ICS CERT Advisory:** hxxps://ics-cert[.]kaspersky[.]com/advisories/2019/03/01/klcert-19-001-deltav-authentication-bypass/
- **NVD CVE-2018-19021:** hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2018-19021
- **Vendor Portal:** Emerson Guardian Support Portal