CISA reports multiple flaws in Emerson Ovation system
Take action: If you are using Emerson Ovation system, first make sure it's not accessible from the internet. Then plan to patch the systems ASAP.
Learn More
Emerson has identified critical vulnerabilities in its Ovation system, posing significant security risks. The Emerson Ovation system is a distributed control system (DCS) specifically designed for power generation and water/wastewater industries
The vulnerabilities are:
- CVE-2022-29966 (CVSS score 9.8) - Missing Authentication for Critical Function. Several protocols lack authentication, allowing attackers to alter controller configurations or cause DoS conditions.
- CVE-2022-30267 (CVSS score 9.1) - Insufficient Verification of Data Authenticity. Lacks firmware signing authentication and uses an insecure checksum, enabling attackers to push malicious firmware, cause DoS, or achieve remote code execution.
Successful exploitation of these vulnerabilities could lead to remote code execution, loss of sensitive information, Denial-of-service (DoS) attacks or unauthorized modification of controller configurations
Affected products are Emerson Ovation version 3.8.0 Feature Pack 1 and prior
Emerson recommends upgrading to Ovation 3.8.0 Feature Pack 3 to address many identified vulnerabilities and urges customers to consider using OCR3000 controllers for enhanced protection.
