SB2020052018 - Multiple vulnerabilities in Emerson OpenEnterprise
Published: May 20, 2020 Updated: May 21, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Missing Authentication for Critical Function (CVE-ID: CVE-2020-10640)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to an insufficient authentication mechanism. A remote attacker can run an arbitrary commands with system privileges or execute arbitrary code via a specific communication service.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-10632)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to inadequate folder security permissions. A local user can modify important configuration files, which could cause the system to fail or behave in an unpredictable manner.
3) Inadequate Encryption Strength (CVE-ID: CVE-2020-10636)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to inadequate encryption. A local user can obtain the passwords for OpenEnterprise user accounts.
Remediation
Install update from vendor's website.
References
- https://ics-cert.us-cert.gov/advisories/icsa-20-140-02
- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2020/05/20/klcert-20-012-missing-authentication-in-emerson-openenterprise-scada-before-3-3-4
- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2020/05/20/klcert-20-010-improper-ownership-management-in-emerson-openenterprise-scada-before-3-3-4
- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2020/05/20/klcert-20-011-inadequate-encryption-strength-in-emerson-openenterprise-scada-before-3-3-4