Full Report
Remote code execution in Emerson AMS Device Manager.
Analysis Summary
# Vulnerability: Remote Code Execution in Emerson AMS Device Manager
## CVE Details
- **CVE ID:** CVE-2018-14804
- **CVSS Score:** 8.6 (High) - *Note: Based on the vector [CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H] provided in the text.*
- **CWE:** Not specified (Patterns suggest Improper Input Validation or Lack of Sandboxing)
## Affected Systems
- **Products:** Emerson AMS Device Manager
- **Versions:** v12.0 to v13.5
- **Configurations:** Systems where the AMS Device Manager is active and accessible to local or low-privileged users.
## Vulnerability Description
The vulnerability stems from the way Emerson AMS Device Manager handles specific scripts. An attacker can leverage a specially crafted script that, when executed, bypasses security restrictions to achieve arbitrary code execution. Because the CVSS vector indicates a "Scope Change" (S:C), the exploit likely allows code execution outside of the immediate application environment, potentially affecting the underlying operating system.
## Exploitation
- **Status:** Unknown (No public PoC or active exploitation in the wild was reported at the time of advisory).
- **Complexity:** Low
- **Attack Vector:** Local (Requires local access or a user to trigger a crafted script; however, the advisory notes the impact results in remote code execution).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
Emerson released a software update in September 2018 to address this flaw.
- **AMS Device Manager:** Ensure the system is updated to the latest patched version (contact Emerson for specific build numbers relevant to v12.0 - v13.5).
### Workarounds
The advisory does not list specific workarounds. General ICS security hardening is recommended:
- Restrict physical and logical access to AMS Device Manager workstations.
- Enforce the principle of least privilege for users operating the software.
- Monitor for unauthorized or suspicious script execution.
## Detection
- **Indicators of Compromise:** Monitoring for unexpected child processes originating from the AMS Device Manager service or application executables.
- **Detection methods and tools:** Use Endpoint Detection and Response (EDR) tools to flag the execution of unauthorized scripts within the AMS directory.
## References
- **Vendor Advisory:** Emerson (Update released September 2018)
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/10/02/klcert-18-017-deltav-remote-code-execution/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-14804