Emerson’s hardware for process control systems has buffer overflow vulnerabilities that offer the potential to elevate privileges, execute code remotely, or disrupt device operation.
Problems affect the Emerson Ovation OCR400 controllers (version 3.3.1 and below). As specified in the ICS-CERT warning, bugs are contained in a third-party FTP server implemented in the product. This software version is not supported by the manufacturer since 2015.
The first problem (CVE-2019-10965) is a stack buffer overflow vulnerability. The bug exists due to incorrect processing of LIST commands, which can lead to buffer rewriting and, as a result, the ability to execute code remotely or elevate rights.
The second problem (CVE-2019-10967) is a buffer overflow vulnerability in the heap data area, which is associated with incorrect processing of commands sent to the FTP server. This can lead to memory corruption, which can disrupt the operation of the controller, either remotely execute code or elevate privileges.
The risk of vulnerabilities is estimated at 6.3 and 6.8 points, respectively, according to the CVSS v3 scale. For their operation does not require special skills. Users of vulnerable products are encouraged to upgrade to newer software versions.