Emerson Process Management has released a patch for SQL Injection vulnerability in its AMS Device Manager application.
Emerson AMS Device Manager is a software used worldwide primarily in the oil and gas and chemical industries.
The Advisory (ICSA-15-111-01) released on the ICS-CERT website quoted that the vulnerability is not exploitable remotely and cannot be exploited without user interaction. It also stated that an attacker’s access to the vulnerability is of medium difficulty level.
"Successful attack results in administrative access to the application and its data files but not to the underlying computer system." The advisory reads.
The vulnerability affects AMS Device Manager, V12.5 and earlier.
"Successful attack results in administrative access to the application and its data files but not to the underlying computer system." The advisory reads.
The vulnerability affects AMS Device Manager, V12.5 and earlier.
Emerson advises the users of this application to take some steps to avoid exploitation to this vulnerability.
For AMS Device Manager application v12.5; it suggests the users to apply a patch, upgrade to v13, or apply the workaround below. For the earlier versions, the software can be configured by adding another user with full administrative privileges and making the default administrative user have read-only privileges.
ICS-CERT also recommends the users to limit user privileges on ICS running software machines, reduce network exposure for all control system device, locate control system networks and remote devices behind firewalls, and isolate them from the business network.
