1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely
- Vendor: Emerson
- Equipment: Rosemount GC370XA, GC700XA, GC1500XA
- Vulnerabilities: Command Injection, Improper Authentication, Improper Authorization
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an unauthenticated attacker with network access to run arbitrary commands, access sensitive information, cause a denial-of-service condition, and bypass authentication to acquire admin capabilities.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Emerson Rosemount Gas Chromatographs are affected:
- GC370XA: Version 4.1.5
- GC700XA: Version 4.1.5
- GC1500XA: Version 4.1.5
3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could execute arbitrary commands in root context from a remote computer.
CVE-2023-46687 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an authenticated user with network access could run arbitrary commands from a remote computer.
CVE-2023-49716 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.9 has been calculated; th
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: