Emerson ValveLink

Plan PatchCVSS 7.8ICS-CERT ICSA-20-063-01Mar 3, 2020

Emerson

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

ValveLink versions 12.0.264 through 13.4.118 contain an improper access control vulnerability (CWE-284) that could allow arbitrary code execution. The vulnerability requires local access and cannot be exploited remotely. Successful exploitation could allow an attacker with local system access to run code with ValveLink application privileges, potentially modifying valve configurations and process parameters. Emerson has released a patch in version 13.4.123 and higher. Users of older versions on end-of-life systems have no vendor fix available.

What this means

What could happen

An attacker with local access to a system running ValveLink could execute arbitrary code with the privileges of the application, potentially allowing them to modify valve configurations, process setpoints, or interfere with control logic in flow, pressure, or isolation operations.

Who's at risk

Water authorities and electric utilities using Emerson ValveLink for process control on programmable logic controllers, smart positioners, and isolation valve management. This affects anyone managing field device configurations through ValveLink on engineering workstations or configuration servers.

How it could be exploited

An attacker must have local access to a machine running a vulnerable version of ValveLink (v12.0.264 to v13.4.118). They would leverage improper access control in the application to escalate privileges and execute code. The vulnerability cannot be exploited remotely.

Prerequisites

Local access to a system running ValveLink
User account with low privileges on the affected system
ValveLink version 12.0.264 to 13.4.118 installed

local access requiredlow complexity exploitaffects control of critical equipment (valves)no patch available for v12.0.264 systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

ValveLink: v12.0.264 to v13.4.118≥ 12.0.264 | ≤ 13.4.118v13.4.123 or higher

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict physical and local network access to engineering workstations and systems running ValveLink configuration software

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade ValveLink to version 13.4.123 or higher

Long-term hardening

0/2

HARDENINGImplement principle of least privilege for user accounts on engineering workstations and systems running ValveLink

HARDENINGIsolate control system networks and devices running ValveLink behind firewalls, separate from business network

CVEs (1)

CVE-2020-6971

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b29a1d8b-85a7-4bd9-af77-bb261e62a60d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.