Emerson Ovation

Plan Patch9.8ICS-CERT ICSA-24-158-02Jun 6, 2024

Summary

Emerson Ovation contains multiple vulnerabilities (CWE-306: Missing Authentication, CWE-345: Insufficient Verification of Data Authenticity) that could allow remote code execution, denial-of-service, modification of controller configuration, and unauthorized access to sensitive information. Affected versions are Ovation 3.8.0 Feature Pack 1 and earlier.

What this means

What could happen

An attacker with network access to an Ovation system could execute arbitrary code on controllers, modify process settings and alarms, steal sensitive configuration or plant data, or shut down operations entirely. This could result in loss of generation/distribution control, equipment damage, or extended outages.

Who's at risk

Energy sector operators running Emerson Ovation control systems, particularly electric generation and distribution utilities that depend on Ovation for unit controllers, distributed control, or plant-wide supervisory functions. Any facility using Ovation versions 3.8.0 Feature Pack 1 or earlier is at risk.

How it could be exploited

An attacker on the network can send specially crafted requests to the Ovation system without authentication (CVSS vector shows no PR/UI required). The attacker can directly trigger remote code execution or configuration modification on the controller, or exfiltrate sensitive data like control logic and credentials.

Prerequisites

Network access to the Ovation system or its management interface
No authentication or credentials required
System must be running Ovation version 3.8.0 Feature Pack 1 or earlier

Remotely exploitableNo authentication requiredLow complexityHigh CVSS (9.8)Affects safety and control logicNo patch available for older versionsCan lead to loss of operational control

Affected products (1)

ProductAffected VersionsFix Status

Ovation: <=3.8.0_Feature_Pack_1≤ 3.8.0 Feature Pack 13.8.0 Feature Pack 3

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGPlace Ovation systems behind a firewall and isolate from the business network to prevent unauthorized network access

HARDENINGEnsure Ovation systems and controllers are not accessible from the internet

WORKAROUNDIf remote access to Ovation is required, use a VPN with current security patches and strong access controls

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Ovation to version 3.8.0 Feature Pack 3 or later to remediate the identified vulnerabilities

HARDENINGDeploy and configure Ovation systems according to Emerson's Cybersecurity for Ovation Systems manual (OVREF1000)

Long-term hardening

0/1

HARDENINGConsider upgrading to OCR3000 controllers, which provide additional security protections not available in older controller models

CVEs (2)

CVE-2022-29966 CVE-2022-30267

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/38f2a5da-12ac-438d-a144-c744ff2727d6