Emerson DeltaV DCS Workstations

Plan Patch9.6ICS-CERT ICSA-18-228-01Aug 16, 2018

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Emerson DeltaV Distributed Control System workstations (versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5) allow arbitrary code execution and malware injection through file overwrite attacks. These vulnerabilities are exploitable without authentication or user interaction on networked systems. Successful compromise could allow an attacker to execute commands in the DeltaV environment, modify control logic, or spread malware to other engineering workstations connected to the control system network.

What this means

What could happen

An attacker with network access to a DeltaV workstation could execute arbitrary code, inject malware, or spread it across the engineering network, potentially compromising the ability to monitor and control critical process operations.

Who's at risk

Water and electric utility operations that rely on Emerson DeltaV Distributed Control Systems for process monitoring and automation. This affects engineering workstations where DeltaV is installed, versions 11.3.1 through R5. Anyone managing or remotely accessing DeltaV systems should prioritize this advisory.

How it could be exploited

An attacker on the same network segment as a DeltaV workstation can exploit file overwrite vulnerabilities to inject malicious code. Once a workstation is compromised, the attacker gains the ability to execute commands in the engineering environment where DeltaV runs, potentially spreading to other systems that communicate with it.

Prerequisites

Network access to DeltaV workstation (same subnet or routable path)
No authentication required
Application whitelisting not enabled

No authentication requiredLow complexity exploitationHigh CVSS (9.6 critical)Affects control system engineering workstationsNetwork-accessible from adjacent subnetsMultiple vulnerability chain (CWE-427, CWE-23, CWE-269, CWE-121)

Exploitability

Moderate exploit probability (EPSS 1.7%)

Affected products (1)

ProductAffected VersionsFix Status

DeltaV: v11.3.1 v12.3.1 v13.3.0 v13.3.1 R511.3.1 | 12.3.1 | 13.3.0 | 13.3.1 R5No fix yet

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImplement application whitelisting on DeltaV workstations to prevent unauthorized file modifications and execution

HARDENINGRestrict network access to DeltaV workstations using firewall rules; block inbound access from business network and internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply vendor patches from Emerson Guardian Support Portal (Knowledge Base Article AK-1800-0042 / DSN18003) to DeltaV versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5

Long-term hardening

0/2

HARDENINGIsolate DeltaV systems and workstations on a dedicated engineering network segment separate from business systems

HARDENINGDeploy remote access to DeltaV systems through VPN only; disable direct network exposure

CVEs (4)

CVE-2018-14797 CVE-2018-14795 CVE-2018-14791 CVE-2018-14793

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d46a7c5b-99d1-4c2f-a977-0b9c5073239d