Several security vulnerabilities have been identified in Emerson Rosemount gas chromatographs, specifically affecting the GC370XA, GC700XA, and GC1500XA models with software versions 4.1.5 and earlier. According to OT security firm Claroty, these vulnerabilities include command injection flaws and issues related to authentication and authorization, which could be exploited by unauthenticated attackers. Such exploits could lead to unauthorized command execution, sensitive information exposure, denial-of-service (DoS) conditions, and bypassing of authentication mechanisms.
The vulnerabilities are detailed as follows: CVE-2023-46687 (CVSS score: 9.8) allows unauthenticated users to execute arbitrary commands remotely; CVE-2023-49716 (CVSS score: 6.9) permits authenticated users to run arbitrary commands remotely; CVE-2023-51761 (CVSS score: 8.3) enables unauthenticated users to bypass authentication and gain admin privileges; and CVE-2023-43609 (CVSS score: 6.9) allows unauthenticated users to access sensitive information or cause DoS conditions.
In response to these vulnerabilities, Emerson has released updated firmware to address the issues and has advised users to adhere to cybersecurity best practices. This includes ensuring that affected devices are not exposed directly to the internet to reduce the risk of exploitation. The vulnerabilities were disclosed following responsible reporting, emphasizing the importance of timely updates and network security.
The disclosure of these flaws comes alongside other security concerns, such as vulnerabilities in AiLux RTU62351B and Proges Plus temperature monitoring devices. These issues could potentially allow unauthorized access, configuration changes, and command execution, highlighting the broader context of vulnerabilities in critical infrastructure and medical systems.
Reference:
