Emerson Ovation OCR400 Controller Stack-Based Buffer Overflow (CVE-2019-10967)

high Tenable OT Security Plugin ID 502359

Synopsis

The remote OT asset is affected by a vulnerability.

Description

In Emerson Ovation OCR400 Controller 3.3.1 and earlier, a stack-based buffer overflow vulnerability in the embedded third-party FTP server involves improper handling of a long file name from the LIST command to the FTP service, which may cause the service to overwrite buffers, leading to remote code execution and escalation of privileges.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Emerson is issuing a notice to its customer base with mitigation recommendations, encouraging users with this older software to upgrade to a more current version supported by Emerson and the third-party vendor.

For users with installations of the affected versions, Emerson recommends following the instructions outlined in Step 1 and Step 2 (below) to determine whether communication services (including FTP) have been enabled. If communication services have been enabled, Emerson recommends users return FTP services to their default (disabled) state as soon as is practical. If users are unable to make controller changes or disable communication services per the instructions below, they are strongly encouraged to restrict FTP communications to the required database and controller drops only. Review Ovation Software and Hardware

Step 1 – Check the Ovation Controller Type

In Ovation Developer Studio, right-click on each controller object, select “Open” and review the “Controller Type” listed. Alternately, run a System Registration report and verify the “Model” for each controller.

- OCR400: The controller is potentially affected; continue with Step 2 (below)
- OCR161: The controller is not affected by the vulnerabilities detailed in this advisory, and can be disregarded

Step 2 – Check the Ovation Software Version

Ovation v3.0.4 and older

FTP services cannot be disabled using the Communications Services configuration detailed below. Emerson recommends users of retired systems, including Ovation v3.3.1 and older, consider upgrading to a more current version in which these issues do not exist.

However, separate mitigation involving network configuration may still be possible. Please refer to the “Review Ovation Highway Switch Configuration” section (below).

Ovation v3.1.0 – v3.3.1

Follow the “Determine Current State of Communications Services” (below).

Ovation v3.5.0 and Newer

FTP communications services cannot be enabled. This advisory does not apply to those versions.

Determine Current State of Communication Services

Two methods exist for checking the current state of controller communication services:

See Also

http://www.securityfocus.com/bid/108499

https://ics-cert.us-cert.gov/advisories/ICSA-19-148-01

Plugin Details

Severity: High

ID: 502359

Version: 1.4

Type: remote

Family: Tenable.ot

Published: 8/8/2024

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2019-10967

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:emerson:ovation_ocr400_firmware

Required KB Items: Tenable.ot/Emerson

Exploit Ease: No known exploits are available

Patch Publication Date: 5/28/2019

Vulnerability Publication Date: 5/28/2019

Reference Information

CVE: CVE-2019-10967

CWE: 121, 787

ICSA: 19-148-01