CVE-2018-11691
📋 TL;DR
This vulnerability in Emerson DeltaV Smart Switch Command Center prevents changing management passwords on DeltaV Smart Switches after commissioning, leaving them with default credentials. Affected systems include DeltaV versions 11.3.x and 12.3.1. The vulnerability allows attackers to gain unauthorized access to industrial network switches.
💻 Affected Systems
- Emerson DeltaV Smart Switch Command Center
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain persistent access to industrial control network switches, enabling network manipulation, traffic interception, or disruption of industrial processes.
Likely Case
Unauthorized users access switch management interfaces using default credentials, potentially reconfiguring network settings or monitoring traffic.
If Mitigated
With proper network segmentation and access controls, impact is limited to the management network segment only.
🎯 Exploit Status
Exploitation requires network access to switch management interface and knowledge of default credentials. No authentication bypass needed since default credentials remain active.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available for DeltaV workstations (specific versions not specified)
Vendor Advisory: Refer to DeltaV Security Notification DSN19003 (KBA NK-1900-0808)
Restart Required: Yes
Instructions:
1. Download patches from Emerson Guardian Support Portal. 2. Apply patches to DeltaV workstations. 3. Either commission DeltaV Smart Switches or change passwords using the tool. 4. Restart affected systems.
🔧 Temporary Workarounds
Manual Password Reset
allManually change DeltaV Smart Switch management passwords using alternative methods
Network Segmentation
allIsolate DeltaV Smart Switch management interfaces from general network access
🧯 If You Can't Patch
- Implement strict network access controls to limit access to switch management interfaces
- Manually verify and change all DeltaV Smart Switch passwords using console or alternative management methods
🔍 How to Verify
Check if Vulnerable:
Check if DeltaV Smart Switch Command Center version is 11.3.x or 12.3.1 and test if password changes persist after commissioningCheck Version:
Check DeltaV workstation software version through Emerson DeltaV interface or system propertiesVerify Fix Applied:
Verify patch installation and test that password changes now work correctly in the Smart Switch Command Center📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts to switch management interfaces
- Successful logins with default credentials
- Configuration changes to network switches
Network Indicators:
- Unexpected traffic to switch management ports (typically 22, 23, 80, 443)
- Traffic patterns indicating switch configuration changes
SIEM Query:
source="network_switches" AND (event_type="authentication" AND (username="default" OR username="admin")) OR (event_type="configuration_change")🔗 References
- http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf
- http://www.securityfocus.com/bid/109110
- https://www.us-cert.gov/ics/advisories/icsa-19-190-01
- http://www.emerson.com/documents/automation/deltav-smart-switches-en-179014.pdf
- http://www.securityfocus.com/bid/109110
- https://www.us-cert.gov/ics/advisories/icsa-19-190-01
