Full Report
Critical vulnerabilities in industrial PCs used by Emerson’s DeltaV distributed control system could allow arbitrary code execution, malware injection or malware propagation to other workstations
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Emerson DeltaV DCS Industrial PCs
## CVE Details
- **CVE ID:** CVE-2018-14798 (Critical), CVE-2018-14791 (High)
- **CVSS Score:**
- CVE-2018-14798: 9.6 (Critical)
- CVE-2018-14791: 7.2 (High)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-426 (Untrusted Search Path)
## Affected Systems
- **Products:** Emerson DeltaV Distributed Control System (DCS) Workstations
- **Versions:**
- DeltaV v11.3.1
- DeltaV v12.3.1
- DeltaV v13.3.0/v13.3.1
- DeltaV SIS v13.3.0/v13.3.1
- **Configurations:** Systems utilizing industrial PCs (IPCs) and workstations running the DeltaV software environment.
## Vulnerability Description
- **CVE-2018-14791 (DLL Hijacking):** A vulnerability exists in the way specific DeltaV services load DLL files. An attacker could place a malicious DLL in a directory prioritized by the search path, leading to arbitrary code execution with elevated privileges.
- **CVE-2018-14798 (Buffer Overflow):** A stack-based buffer overflow flaw exists in a service that processes network packets. By sending specially crafted packets to the affected workstation, an attacker can trigger the overflow to execute arbitrary code or cause a Denial of Service (DoS) condition.
## Exploitation
- **Status:** PoC demonstrated by researchers (Kaspersky ICS CERT); no confirmed exploitation in the wild at the time of disclosure.
- **Complexity:** Low to Medium.
- **Attack Vector:**
- CVE-2018-14798: Network (Remote execution possible without authentication).
- CVE-2018-14791: Adjacent/Local (Requires ability to place files on the filesystem).
## Impact
- **Confidentiality:** High (Full access to workstation data and DCS configurations).
- **Integrity:** High (Ability to inject malware or modify control logic).
- **Availability:** High (Potential for system crashes, service disruption, and malware propagation across the DCS network).
## Remediation
### Patches
Emerson has released several updates to address these issues:
- **v11.3.1:** Apply DeltaV v11.3.1 Update patches.
- **v12.3.1:** Apply DeltaV v12.3.1 Update patches.
- **v13.3.0/v13.3.1:** Upgrade to newer secure builds or apply specific hotfixes provided by Emerson via the Guardian Support Portal.
### Workarounds
- Isolate the DeltaV control network from the corporate network and the internet.
- Implement strict firewall rules to block unauthorized traffic to DCS workstations.
- Disable unnecessary services and restrict physical/administrative access to IPCs.
## Detection
- **Indicators of Compromise:** Presence of unrecognized DLL files in DeltaV application directories; unexpected service restarts; unusual network traffic on proprietary DeltaV communication ports.
- **Detection methods and tools:**
- Monitor for unauthorized file integrity changes in `%ProgramFiles%\DeltaV`.
- Use ICS-aware Intrusion Detection Systems (IDS) to flag malformed network packets targeting DeltaV workstations.
## References
- **Vendor Advisory:** Emerson Support Portal (Guardian)
- **CISA Advisory:** hxxps[://]www.cisa[.]gov/news-events/ics-advisories/icsa-18-228-01
- **Kaspersky Analysis:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2018/08/22/multiple-vulnerabilities-in-emerson-deltav-dcs-industrial-workstations/