Emerson ROC800 Multiple Vulnerabilities (Update B)

Low RiskICS-CERT ICSA-13-259-01BJun 19, 2013

Summary

Emerson ROC800, DL8000, and ROC800L contain multiple vulnerabilities related to improper input validation (CWE-912), use of hardcoded credentials (CWE-798), and missing authentication checks (CWE-294). These issues affect the remote operations controller and data logger product lines used in industrial process monitoring and control.

What this means

What could happen

An attacker with network access to the device could bypass authentication, inject commands, or use embedded credentials to gain control over the remote operations controller, potentially allowing them to modify process setpoints, disable alarms, or halt critical operations.

Who's at risk

This vulnerability affects water authorities and electric utilities using Emerson remote operations controllers (ROC800, ROC800L) and data loggers (DL8000) in SCADA and process control systems. Equipment operators responsible for pump stations, water treatment, generator controls, or other critical automation systems should prioritize assessment.

How it could be exploited

An attacker on the network sends a crafted request to the device exploiting missing input validation or hardcoded credentials embedded in the firmware. If successful, the attacker gains unauthenticated access to the command interface and can execute arbitrary operations on the controller.

Prerequisites

Network access to the ROC800, DL8000, or ROC800L device
No valid credentials required; hardcoded credentials or authentication bypass allows access

remotely exploitableno authentication requiredno patch availabledefault/hardcoded credentialsaffects process control systems

Exploitability

Moderate exploit probability (EPSS 4.1%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

ROC800: <=3.50≤ 3.50No fix (EOL)

ROC800L: <=1.20≤ 1.20No fix (EOL)

DL8000: <=2.30≤ 2.30No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement network segmentation to isolate ROC800, DL8000, and ROC800L devices from untrusted networks and the internet

HARDENINGApply firewall rules to restrict network access to these devices to only authorized engineering workstations and SCADA networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to and from these devices for suspicious commands or access attempts

HARDENINGDocument the location and criticality of all ROC800, DL8000, and ROC800L devices in your environment

CVEs (5)

CVE-2013-0693 CVE-2013-0692 CVE-2013-0689 CVE-2013-0694 CVE-2013-2810

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8929997e-3b75-4245-aa79-d383f0a9f1fe