Claroty, a company that specializes in security solutions for cyber-physical systems, has disclosed the details of several vulnerabilities discovered in a gas chromatograph made by Emerson, and warned that attacks could have a serious impact.
A gas chromatograph is a chemical analysis instrument that measures the content of various components in a sample. Such devices are used by hospitals in blood testing and by environmental facilities to measure air pollution.
Claroty’s analysis showed that Emerson gas chromatography devices are connected to internal networks and they are controlled remotely by technicians over a communication channel that leverages a proprietary protocol.
Claroty’s research focused on the Emerson Rosemount 370XA gas chromatograph. Since the product costs $100,000, the cybersecurity firm managed to emulate the device instead of using a real one for its testing.
The analysis found — and Emerson confirmed — that Rosemount GC370XA, GC700XA, and GC1500XA products are affected by four vulnerabilities.
The list includes a critical command injection that allows an unauthenticated attacker with network access to remotely execute arbitrary commands with root privileges. It also includes a high-severity issue that allows an unauthenticated network attacker to bypass authentication and obtain admin capabilities.
The remaining vulnerabilities have been classified as ‘medium severity’. One of them allows an unauthenticated attacker to obtain sensitive information or cause a DoS condition, and one allows an authenticated attacker to run arbitrary commands.
“A compromise of such devices can have a tremendous impact on various industries. In the food and beverage sector, attacks against a food processing company’s gas chromatographs could prevent the accurate detection of bacteria and bring a process chain to a halt,” Claroty warned. “Similar attacks against a hospital’s chromatographs would disrupt testing of blood and other patient samples.”
The US cybersecurity agency CISA published an advisory for these vulnerabilities back in January, at around the same time as Emerson.
The vendor at the time informed customers about the availability of firmware updates that should patch the vulnerabilities and also highlighted that “if the affected product is isolated from the internet as recommended and running on a well-protected network consistent with industry best practices, the potential risk is lowered.”
| Learn More at SecurityWeek’s ICS Cybersecurity Conference The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.  October 21-24, 2024 | Atlanta www.icscybersecurityconference.com |
Related: Emerson Patches Several Vulnerabilities in X-STREAM Gas Analyzers
Related: Critical Vulnerability in Honeywell Virtual Controller Allows Remote Code Execution
Related: Unpatched Rapid SCADA Vulnerabilities Expose Industrial Organizations to Attacks
