Cybersecurity specialists reported the detection of at least six security vulnerabilities in Emerson Rosemount X-STREAM solutions, a gas analyzer for industrial environments and WiFi connection capabilities. According to the report, successful exploitation of these flaws would allow threat actors to steal sensitive information and even take full control of the target system.
Below are brief descriptions of the reported flaws, in addition to their respective tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-27457: This flaw exists due to a weak encryption algorithm for storing sensitive data on affected products. Remote threat actors might gain unauthorized access to sensitive information on the target system.
This is a medium severity flaw and received a score of 6.9/10 on the CVSS scale.
CVE-2021-27459: Improper validation of files during the upload process to the web server would allow authenticated attackers to upload a malicious file and run it on the server remotely.
The vulnerability received a score of 8.1/10 and its exploitation would put the affected system at risk.
CVE-2021-27461: An input validation error when processing directory cross-sectional streams would allow remote attackers to send specially designed HTTP requests and read arbitrary files on the system.
This vulnerability received a score of 6.9/10, cybersecurity specialists report.
CVE-2021-27463: Affected applications use persistent cookies where the session cookie attribute is not invalidated correctly. Remote malicious hackers could gain unauthorized access to sensitive information stored on the target system by exploiting this vulnerability.
The flaw is considered of average severity and received a score of 4.9/10.
CVE-2021-27465: Insufficient disinfection of user input would allow threat actors to deceive the victim by sending a specially designed link with which they will seek to execute HTML code and arbitrary scripts in the user’s browser.
The flaw received a score of 5.6/10 and its successful exploitation would allow remote hackers to steal sensitive information, perform phishing attacks and even modify the appearance of an online platform.
CVE-2021-27467: The web interface of the affected product allows click routing attacks or key registration arbitrarily, which would allow the theft of sensitive information.
The vulnerability received a CVSS score of 4/10.
According to the report, the flaws reside in the following products:
- Rosemount X-STREAM Gas Analyzer: all versions
- X-STREAM XEGP: all versions
- X-STREAM XEGK: all versions
- X-STREAM XEFD: all versions
- X-STREAM XEXF: all versions
While most flaws can be exploited by unauthenticated remote threat actors, cybersecurity experts point out that so far no attempts to active exploit or the existence of a malware variant associated with these attacks have been detected.
However, it is important to note that no security patches or workarounds are available, so administrators are advised to stay on top of any new manufacturer announcements. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.