OTPulse

Emerson PACSystem and Fanuc

MonitorCVSS 5.9ICS-CERT ICSA-24-158-01Jun 6, 2024
EmersonEnergy
Summary

Emerson PAC Machine Edition, PACSystem RXi/RX3i/RSTi-EP, and Fanuc VersaMax controllers contain multiple vulnerabilities related to weak authentication (CWE-345, CWE-522), unencrypted communications (CWE-319), and insecure deserialization (CWE-494). These vulnerabilities could allow remote code execution, exposure of sensitive information, or denial-of-service attacks. CVE-2022-30263 affects authentication; CVE-2022-30268 involves credential handling and physical access controls; CVE-2022-30266 involves insecure communications; and CVE-2022-30265 involves authentication bypass. No patches are available from the vendors.

What this means
What could happen
An attacker could gain remote access to PACSystem or Fanuc VersaMax controllers to run arbitrary commands, intercept sensitive control data, or disrupt operations by stopping or altering the programmable logic controller (PLC). These devices manage energy generation, distribution, and control systems, so compromise could affect power delivery or grid stability.
Who's at risk
Energy utilities and critical infrastructure operators using Emerson PAC Machine Edition, PACSystem RXi/RX3i/RSTi-EP, or Fanuc VersaMax controllers in power generation and distribution. This affects anyone whose plant or grid control systems rely on these PLCs for automation and monitoring.
How it could be exploited
An attacker with network access to the controller's Ethernet port could exploit weak authentication or unencrypted communication channels to authenticate without valid credentials or to intercept session data. Once authenticated or connected, the attacker can execute remote commands on the PLC to modify control logic or disable safety functions.
Prerequisites
  • Network access to the controller's Ethernet port
  • Ability to reach the device from the network (not isolated behind a firewall)
  • Knowledge of or ability to bypass weak SRP6-a authentication if enabled
  • For some CVEs: ability to observe or intercept unencrypted communications
remotely exploitableno patch availableweak or missing encryption (CWE-319)weak authentication mechanisms (CWE-345, CWE-522)affects control systems for energy delivery
Affected products (6)
6 EOL
ProductAffected VersionsFix Status
PAC Machine Edition: vers:all/*All versionsNo fix (EOL)
PACSystem RXi: vers:all/*All versionsNo fix (EOL)
PACSystem RX3i: vers:all/*All versionsNo fix (EOL)
PACSystem RSTi-EP: vers:all/*All versionsNo fix (EOL)
PACSystem VersaMax: vers:all/*All versionsNo fix (EOL)
Fanuc VersaMax: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3
WORKAROUNDDisable unnecessary Ethernet services on PACSystem controllers (consult Secure Deployment Guide GFK-2830Y Section 5.2.1.1)
HARDENINGImplement SRP6-a authentication on all PACSystem controllers and enforce it as the only authentication method (Secure Deployment Guide GFK-2830Y Sections 4.3.3 and 4.3.4)
HARDENINGRestrict network access to controllers by placing them behind firewalls and isolating them from business networks and the internet
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement physical security controls around controllers (locked enclosures, restricted access) to prevent unauthorized personnel from establishing direct connections
HARDENINGIf remote access is required, use a VPN to secure communications and keep VPN software updated to the latest version
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: PAC Machine Edition: vers:all/*, PACSystem RXi: vers:all/*, PACSystem RX3i: vers:all/*, PACSystem RSTi-EP: vers:all/*, PACSystem VersaMax: vers:all/*, Fanuc VersaMax: vers:all/*. Apply the following compensating controls:
HARDENINGApply the Reference Architecture guidance from Secure Deployment Guide GFK-2830Y Section 6.1 to design secure network topology
View full CISA ICS-CERT advisory
API: /api/v1/advisories/6a8dc499-1164-4f39-ab88-82d65f0750da

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.