Emerson Ovation OCR400 Controller

MonitorCVSS 6.8ICS-CERT ICSA-19-148-01May 28, 2019

Emerson

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Buffer overflow vulnerabilities in Emerson Ovation OCR400 controllers (versions 3.3.1 and earlier) via FTP file transfer services could allow an authenticated attacker to achieve privilege escalation or remote code execution, potentially halting the controller or causing uncontrolled process behavior. The vulnerabilities exist in memory handling routines (CWE-121, CWE-122) accessible through the FTP service when enabled. Ovation v3.5.0 and later versions are not affected because FTP services cannot be enabled in those versions.

What this means

What could happen

An attacker with valid Ovation credentials and network access to an OCR400 controller could execute arbitrary code or escalate privileges, potentially altering process parameters, stopping operations, or causing uncontrolled plant behavior.

Who's at risk

Water and electric utilities running Emerson Ovation control systems with OCR400 controllers on Ovation software version 3.3.1 or earlier. This affects SCADA/HMI systems that rely on Ovation for real-time process control of critical infrastructure operations.

How it could be exploited

An attacker on the network could connect via FTP (if enabled on the OCR400 controller) using valid engineering workstation credentials, exploit a buffer overflow vulnerability (CWE-121/122) to inject code, and execute arbitrary commands on the controller with potential privilege escalation.

Prerequisites

Network access to port 21 (FTP) on the OCR400 controller
FTP communication services enabled on the controller
Valid Ovation engineering credentials (username/password)
Ovation software version 3.3.1 or earlier

remotely exploitable via FTPlow complexity attackrequires valid credentialsaffects process control systemsbuffer overflow vulnerabilityaffects legacy/end-of-life versions

Exploitability

Some exploitation risk — EPSS score 6.1%

Affected products (1)

ProductAffected VersionsFix Status

Ovation OCR400 Controller running Ovation:≤ 3.3.13.5.0

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable FTP services on OCR400 controllers running Ovation v3.1.0–v3.3.1 using Developer Studio or Controller Diagnostics application

WORKAROUNDIf FTP cannot be disabled on Ovation v3.0.4 or older systems, restrict FTP traffic to only required engineering workstation and database subnets using network firewall rules or switch ACLs

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Ovation software to version 3.5.0 or newer

Long-term hardening

0/2

HARDENINGConfigure Cisco 2960 and 3750 switches on the Ovation Highway with access control lists to block FTP, telnet, rlogin, and SSH from untrusted network segments

HARDENINGEnsure OCR400 controllers and Ovation systems are not accessible from the Internet

CVEs (2)

CVE-2019-10967 CVE-2019-10965

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/62d36266-df87-4d8b-8722-e6acd294a989

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.