Emerson DeltaV Uncontroller Resource Consumption Vulnerability
Low RiskICS-CERT ICSA-13-053-01Nov 26, 2013
Summary
Emerson DeltaV controllers (SE3006 SD Plus, VE3005 MD, VE3006 MD PLUS hardware) are vulnerable to uncontrolled resource consumption. An attacker with network access can send malicious requests that exhaust CPU or memory on the controller, rendering it unable to process commands and causing operations to fail. Affected versions include SE3006 through 11.3.1, VE3005 through 10.3.1 and 11.3.1, and VE3006 through 10.3.1 and 11.3.1. No vendor fix is available.
What this means
What could happen
An attacker with network access to a DeltaV controller could consume system resources (CPU, memory), causing the device to become unresponsive and potentially halt process control operations.
Who's at risk
Water treatment and electric utility operators using Emerson DeltaV controllers for process automation. Affected models include SE3006 SD Plus and VE3005/VE3006 MD and MD PLUS hardware variants, commonly deployed in SCADA and distributed control systems.
How it could be exploited
An attacker sends specially crafted network requests to the DeltaV controller's management interface, triggering uncontrolled resource consumption. The device becomes starved of CPU or memory, making it unable to respond to process control commands.
Prerequisites
- Network access to the DeltaV controller management port
remotely exploitableno patch availableresource exhaustion
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (5)
5 EOL
ProductAffected VersionsFix Status
DeltaV VE3005 Controller MD Hardware: <=10.3.1≤ 10.3.1No fix (EOL)
DeltaV VE3006 Controller MD PLUS Hardware: <=10.3.1≤ 10.3.1No fix (EOL)
DeltaV VE3006 Controller MD PLUS Hardware: <=11.3.1≤ 11.3.1No fix (EOL)
DeltaV SE3006 SD Plus Controller: <=11.3.1≤ 11.3.1No fix (EOL)
DeltaV VE3005 Controller MD Hardware: <=11.3.1≤ 11.3.1No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/1WORKAROUNDMonitor CPU and memory utilization on DeltaV controllers to detect resource exhaustion attacks
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: DeltaV VE3005 Controller MD Hardware: <=10.3.1, DeltaV VE3006 Controller MD PLUS Hardware: <=10.3.1, DeltaV VE3006 Controller MD PLUS Hardware: <=11.3.1, DeltaV SE3006 SD Plus Controller: <=11.3.1, DeltaV VE3005 Controller MD Hardware: <=11.3.1. Apply the following compensating controls:
HARDENINGRestrict network access to DeltaV controllers using firewall rules; allow only engineering workstations and authorized control systems to reach the device
HARDENINGImplement network segmentation to isolate DeltaV controllers on a protected OT network with strict ingress/egress controls
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/09c1a11f-57ad-4a85-9dba-ae071971f744