Emerson Proficy Machine Edition

Risk Summary

Successful exploitation of these vulnerabilities could allow for remote hidden code execution on the connected programmable logic controller (PLC) and for malicious files to be uploaded from the PLC to connected workstations.

CVEs (6)

Remediations

• CVE-2022-2793: SRTP and SNP protocols support cryptographically secure authentication using the SRP-6a protocol, a feature which Emerson recommends users employ. Affected devices currently support encrypted authentication for session establishment and when escalating privileges; additional encryption features will be added over time.
• For additional details on any of these recommendations, see Emerson's security advisory.
• CVE-2022-2792: Emerson plans to fix this vulnerability in a future version. Emerson recommends users ensure they are using the latest version of PAC Machine Edition and employ good physical security of devices and transmission paths.
• CVE-2022-2791: Emerson recommends operators of the affected devices be well verified and restrict which users can upload files. The affected devices do not have any file verification systems for checking the files that have been uploaded.
• CVE-2022-2790: See recommendations for CVE-2022-2791.
• CVE-2022-2789: See recommendations for CVE-2022-2791.
• CVE-2022-2788: See recommendations for CVE-2022-2791. Emerson recommends Proficy Machine Edition be installed as an administrator, but run as a non-administrator, unless necessary for specific functions. Users should ensure PLCs are not programmed using an untrusted network; PLCs should be programmed using a flat/bridged network. Users should also enable authentication on the PLCs.

Affected Vendors

Affected Products (1)

Affected Sectors

Commercial Facilities, Critical Manufacturing, Dams, Defense Industrial Base, Energy, Food and Agriculture, Government Facilities, Information Technology, Transportation Systems, Water and Wastewater Systems