Deep Sea Electronics DSE855

Act NowCVSS 6.5ICS-CERT ICSA-24-298-03Oct 24, 2024

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

DSE855 firmware versions up to 1.0.26 store credentials in an insecure manner, allowing an attacker on the local network to access and retrieve them. This vulnerability (CWE-306: Missing Authentication for Critical Function) does not require authentication from the attacker and is not remotely exploitable. Deep Sea Electronics has released a fix in firmware version 1.2.0.

What this means

What could happen

An attacker with network access to the DSE855 could read stored credentials, potentially compromising authentication to the device or other connected systems. This could lead to unauthorized control of generator or engine systems.

Who's at risk

Generator and engine control operators running DSE855 controllers should prioritize this update. The DSE855 is a digital engine speed governor commonly found in backup power generation systems, utility-scale engines, and remote power installations. Operations and maintenance teams need to plan a firmware update maintenance window.

How it could be exploited

An attacker on the same network segment as the DSE855 controller can retrieve plaintext or weakly protected credentials stored in the device memory or configuration. These credentials could then be reused to authenticate to the device or other systems without the owner's knowledge.

Prerequisites

Network access to the DSE855 (same network segment or via compromised device on that network)
No authentication required to access stored credentials

no authentication requiredlow complexityhigh EPSS score (74%)credentials exposure

Exploitability

Likely to be exploited — EPSS score 74.0%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (1)

ProductAffected VersionsFix Status

DSE855: 1.0.261.0.261.2.0

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to DSE855 to only authorized engineering and monitoring workstations using firewall rules

WORKAROUNDChange all default credentials and stored passwords on DSE855 immediately as a compensating control until firmware can be updated

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DSE855 firmware to version 1.2.0 or later

Long-term hardening

0/1

HARDENINGIsolate DSE855 and associated control networks from business/corporate networks using a firewall or network gateway

CVEs (1)

CVE-2024-5947

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d249dce6-e98d-42c6-8e07-52d331d33baf

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.