Scientists Alert About Imperfections in Extensively Used Industrial Gas Examination Equipment

Jun 28, 2024NewsroomIndustrial Security / Critical Infrastructure

A myriad of security loopholes have been unveiled in Emerson Rosemount gas chromatographs which malevolent agents could exploit to acquire confidential information, trigger a denial-of-service (DoS) scenario, and even enact arbitrary commands.

The imperfections affect GC370XA, GC700XA, and GC1500XA and are present in versions 4.1.5 and earlier.

As per operational technology (OT) security company Claroty, the vulnerabilities comprise of two command injection flaws and two distinct flaws in authentication and authorization that could be weaponized by unauthorized attackers to execute a vast array of malevolent deeds ranging from bypassing authentication to command injection.

“Exploiting these vulnerabilities successfully could grant an unauthorized attacker with network access to execute arbitrary commands, access sensitive information, cause a denial-of-service scenario, and bypass authentication to obtain administrative privileges,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated in an advisory published in January.

The chromatograph, utilized for conducting vital gas measurements, can be configured and managed using a software known as MON. The software also has the capability to stock crucial data and produce reports like chromatograms, alarm history, event logs, and maintenance logs.

Claroty’s examination of the firmware and the exclusive protocol employed for communication between the device and the Windows client termed MON2020 disclosed the subsequent inadequacies –

• CVE-2023-46687 (CVSS score: 9.8) – An unauthorized user with network access could perform arbitrary commands in root context from a remote computer

• CVE-2023-49716 (CVSS score: 6.9) – An authorized user with network access could execute arbitrary commands from a remote computer

• CVE-2023-51761 (CVSS score: 8.3) – An unauthorized user with network access could circumvent authentication and gain administrative privileges by resetting the associated password

• CVE-2023-43609 (CVSS score: 6.9) – An unauthorized user with network access could gather access to sensitive information or trigger a denial-of-service scenario

Subsequent to responsible disclosure, Emerson has issued [PDF] an updated version of the firmware addressing the vulnerabilities. The company has also advised end users to adhere to cybersecurity best practices and ensure that the affected products are not directly exposed to the internet.

The revelation coincides with Nozomi Networks revealing several flaws in AiLux RTU62351B that could be usurped to access sensitive resources on the device, modify its configuration, and even execute arbitrary commands as root. The vulnerabilities have been collectively named I11USION.

Deficiencies in security have also been spotted in Proges Plus temperature monitoring devices and their associated software, Sensor Net Connect and Thermoscan IP, which could allow admin privileges over crucial medical systems, thereby enabling a malevolent actor to tamper with system settings, introduce malware, and exfiltrate data.

These vulnerabilities, which remain unaddressed, could also lead to a DoS scenario in medical monitoring infrastructure, resulting in the spoiling of temperature-sensitive medicines and vaccines.