CVE-2023-43609 - OpenCVE

In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Emerson	Gc1500xa Gc1500xa Firmware Gc370xa Gc370xa Firmware Gc700xa Gc700xa Firmware

Configuration 1 [-]

AND

cpe:2.3:h:emerson:gc370xa:-:*:*:*:*:*:*:*

cpe:2.3:o:emerson:gc370xa_firmware:4.1.5:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:h:emerson:gc700xa:-:*:*:*:*:*:*:*

cpe:2.3:o:emerson:gc700xa_firmware:4.1.5:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:h:emerson:gc1500xa:-:*:*:*:*:*:*:*

cpe:2.3:o:emerson:gc1500xa_firmware:4.1.5:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01
https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-02-09T03:52:03.096Z

Updated: 2024-08-02T19:44:43.814Z

Reserved: 2024-01-03T00:41:24.590Z

Link: CVE-2023-43609

Vulnrichment

Updated: 2024-08-02T19:44:43.814Z

NVD

Status : Analyzed

Published: 2024-02-09T04:15:07.583

Modified: 2024-02-15T14:45:17.063

Link: CVE-2023-43609

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-43609", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-01-03T00:41:24.590Z", "datePublished": "2024-02-09T03:52:03.096Z", "dateUpdated": "2024-08-02T19:44:43.814Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Rosemount GC370XA", "vendor": "Emerson", "versions": [{"lessThanOrEqual": "Version 4.1.5", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Rosemount GC700XA", "vendor": "Emerson", "versions": [{"lessThanOrEqual": "Version 4.1.5", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Rosemount GC1500XA", "vendor": "Emerson", "versions": [{"lessThanOrEqual": "Version 4.1.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Vera Mens of Claroty Research reported these vulnerabilities to Emerson."}], "datePublic": "2024-01-30T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition.</span>\n\n</span>\n\n</span>\n\n</span>\n\n"}], "value": "\n\n\n\n\n\n\nIn Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition.\n\n\n\n\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285 Improper Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-02-09T03:52:03.096Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01"}, {"url": "https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Emerson recommends end users update the affected products' firmware. For update information, contact </span><a target=\"_blank\" rel=\"nofollow\">Emerson Tech Support</a><span style=\"background-color: rgb(255, 255, 255);\">. Emerson recommends end users continue to use current cybersecurity industry best practices, and in the event such infrastructure is not implemented within an end user's network, the user should take action to ensure the affected product is connected to a well-protected network and not connected to the Internet. For more information, refer to the </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/security-notifications\">Emerson Security</a><span style=\"background-color: rgb(255, 255, 255);\"> web page.</span>\n\n<br>"}], "value": "\nEmerson recommends end users update the affected products' firmware. For update information, contact Emerson Security https://www.emerson.com/en-us/support/security-notifications \u00a0web page.\n\n\n"}], "source": {"advisory": "ICSA-24-030-01", "discovery": "EXTERNAL"}, "title": "Emerson Rosemount GC370XA, GC700XA, GC1500XA Improper Authorization", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-43609", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-09T19:00:54.881050Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:20:48.571Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:44:43.814Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01", "tags": ["x_transferred"]}, {"url": "https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01", "tags": ["x_transferred"]}, {"url": "https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:44:43.814Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-43609", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-09T19:00:54.881050Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:36.848Z"}}], "cna": {"title": "Emerson Rosemount GC370XA, GC700XA, GC1500XA Improper Authorization", "source": {"advisory": "ICSA-24-030-01", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Vera Mens of Claroty Research reported these vulnerabilities to Emerson."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.9, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Emerson", "product": "Rosemount GC370XA", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "Version 4.1.5"}], "defaultStatus": "unaffected"}, {"vendor": "Emerson", "product": "Rosemount GC700XA", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "Version 4.1.5"}], "defaultStatus": "unaffected"}, {"vendor": "Emerson", "product": "Rosemount GC1500XA", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "Version 4.1.5"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "\nEmerson recommends end users update the affected products' firmware. For update information, contact Emerson Security https://www.emerson.com/en-us/support/security-notifications \u00a0web page.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Emerson recommends end users update the affected products' firmware. For update information, contact </span><a target=\"_blank\" rel=\"nofollow\">Emerson Tech Support</a><span style=\"background-color: rgb(255, 255, 255);\">. Emerson recommends end users continue to use current cybersecurity industry best practices, and in the event such infrastructure is not implemented within an end user's network, the user should take action to ensure the affected product is connected to a well-protected network and not connected to the Internet. For more information, refer to the </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.emerson.com/en-us/support/security-notifications\">Emerson Security</a><span style=\"background-color: rgb(255, 255, 255);\"> web page.</span>\n\n<br>", "base64": false}]}], "datePublic": "2024-01-30T17:00:00.000Z", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01"}, {"url": "https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\n\n\n\n\n\n\nIn Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition.\n\n\n\n\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition.</span>\n\n</span>\n\n</span>\n\n</span>\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-02-09T03:52:03.096Z"}}}, "cveMetadata": {"cveId": "CVE-2023-43609", "state": "PUBLISHED", "dateUpdated": "2024-08-02T19:44:43.814Z", "dateReserved": "2024-01-03T00:41:24.590Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2024-02-09T03:52:03.096Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:emerson:gc370xa:-:*:*:*:*:*:*:*", "matchCriteriaId": "6EF5297A-99CA-4D56-8081-1F987B770426", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:emerson:gc370xa_firmware:4.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "0366C834-5B10-4E1E-85F7-139361C04C2B", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:emerson:gc700xa:-:*:*:*:*:*:*:*", "matchCriteriaId": "FDE8CBE2-CA78-4B35-AA04-13247025AF8E", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:emerson:gc700xa_firmware:4.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "57FCACE0-20E6-469A-AD42-011B5CF7AF89", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:emerson:gc1500xa:-:*:*:*:*:*:*:*", "matchCriteriaId": "0FD3C3C1-67EA-4366-8CFD-D41702E634BE", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:emerson:gc1500xa_firmware:4.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "ECAE53AD-7F73-467B-B8BB-0F13F520EAE4", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\n\n\n\n\n\n\nIn Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition.\n\n\n\n\n\n\n\n"}, {"lang": "es", "value": "En los productos Emerson Rosemount GC370XA, GC700XA y GC1500XA, un usuario no autenticado con acceso a la red podr\u00eda obtener acceso a informaci\u00f3n confidencial o provocar una condici\u00f3n de denegaci\u00f3n de servicio."}], "id": "CVE-2023-43609", "lastModified": "2024-02-15T14:45:17.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.7, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2024-02-09T04:15:07.583", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Vendor Advisory"], "url": "https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}