Emerson OpenEnterprise

Act Now10ICS-CERT ICSA-20-140-02May 19, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Emerson OpenEnterprise versions 3.3.4 and earlier contain multiple authentication and authorization weaknesses (CWE-306, CWE-282) and weak cryptography (CWE-326) that allow attackers to access configuration services without authentication or obtain user account credentials. Successful exploitation could grant an attacker direct control over OpenEnterprise configuration and user credentials, potentially enabling them to modify control logic, alarm setpoints, or safety interlocks.

What this means

What could happen

An attacker could gain unauthorized access to OpenEnterprise configuration services or steal user account passwords, potentially allowing them to modify process settings, disable safety interlocks, or shut down critical operations.

Who's at risk

Operators of Emerson OpenEnterprise systems, including water utilities, electric utilities, and process manufacturers that rely on this platform for SCADA/control system configuration, monitoring, and management. This affects anyone managing industrial processes through OpenEnterprise.

How it could be exploited

An attacker with network access to OpenEnterprise services could exploit authentication or authorization weaknesses (CWE-306, CWE-282) or weak cryptography (CWE-326) to bypass security controls and access the configuration database or credential storage without valid credentials.

Prerequisites

Network access to OpenEnterprise services (port/interface not explicitly stated in advisory)
OpenEnterprise version 3.3.4 or earlier deployed and reachable from attacker's network

remotely exploitableno authentication requiredlow complexityCVSS 10.0 (critical)affects control system configuration and credentials

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (1)

ProductAffected VersionsFix Status

OpenEnterprise: all≤ 3.3.43.3.5

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict network access to OpenEnterprise services using firewalls; do not expose to the Internet

HARDENINGIsolate OpenEnterprise and control system networks from business networks using network segmentation

WORKAROUNDIf remote access to OpenEnterprise is required, use VPNs with current security patches

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade OpenEnterprise to version 3.3.5 (Service Pack 5) or later

HARDENINGImplement least-privilege user access controls for OpenEnterprise accounts

CVEs (3)

CVE-2020-10640 CVE-2020-10632 CVE-2020-10636

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/69c4fc3e-8f97-49c4-9963-a1beb3429581