Emerson ROC800 Multiple Vulnerabilities (Update A)

Low RiskICS-CERT ICSA-13-259-01AJun 19, 2013

Summary

Emerson ROC800, DL8000, and ROC800L controllers contain multiple vulnerabilities (CWE-912 weak key generation, CWE-798 hardcoded credentials, CWE-294 authentication bypass) that allow unauthenticated remote execution of arbitrary commands. These devices are commonly used in critical infrastructure SCADA systems for process monitoring and control. The vendor has not released patches for the affected product versions.

What this means

What could happen

An attacker with network access could execute arbitrary commands on ROC800 and DL8000 controllers, potentially disrupting critical operations like process control, alarms, and data logging in water, gas, or electric utilities.

Who's at risk

Water utilities, electric distribution operators, and gas system operators using Emerson ROC800, DL8000, or ROC800L controllers for process automation, alarm management, and SCADA data collection should prioritize mitigation. These controllers are commonly deployed in remote terminal units (RTUs) and local control applications.

How it could be exploited

An attacker on the network could send specially crafted commands to the controller's communication port without authentication. The controller would execute these commands with full permissions, allowing the attacker to modify process setpoints, disable alarms, or stop operations entirely.

Prerequisites

Network access to the controller's communication port (typically TCP/UDP)
No authentication credentials required

remotely exploitableno authentication requiredno patch availableaffects industrial control and safety systems

Exploitability

Moderate exploit probability (EPSS 4.1%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

ROC800: <=3.50≤ 3.50No fix (EOL)

ROC800L: <=1.20≤ 1.20No fix (EOL)

DL8000: <=2.30≤ 2.30No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement network segmentation: isolate ROC800 and DL8000 controllers on a separate OT network segment with firewall rules that restrict inbound access from IT networks and untrusted sources

WORKAROUNDDisable remote access to affected controllers if not operationally required; use local engineering workstations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to and from controllers for suspicious commands or unexpected connections

Long-term hardening

0/1

HOTFIXContact Emerson for long-term patch availability and guidance on end-of-life controllers

CVEs (5)

CVE-2013-0693 CVE-2013-0692 CVE-2013-0689 CVE-2013-0694 CVE-2013-2810

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ec199e72-d8b3-4d7f-851a-34a5a12e2b3b