Security Advisories and Security Related Updates

 This fixes the following vulnerability:

• CVE-2023-38517

These vulnerabilities are fixed in the ACM versions shown here:

• ACM 9.2.0 and later

Affected Products:

AUTOSOL ACM 9.0.x, 9.1.x

Description:

RapidJSON is vulnerable to privilege escalation due to an integer underflow when parsing JSON text from a stream. An attacker needs to send the victim a crafted file which needs to be opened; this triggers the integer underflow vulnerability (when the file is parsed), leading to elevation of privilege.

Note: This is a generic ‘JSON’ issue and not specific to the FlowX device. Because the FlowX devices uses JSON-formatted data, it is listed below.

Alternative Mitigation:

• Protect the data source (the FlowX device) from access to internal program modification.

• Disable use of the FlowX protocol.

 This fixes the following vulnerability:

• CVE-2022-28684

These vulnerabilities are fixed in the ACM versions shown here:

• ACM 9.2.0 and later

Affected Products:

AUTOSOL ACM 9.0.x, 9.1.x

Description:

This vulnerability allows remote attackers to execute arbitrary code on affected installations of DevExpress. Authentication is required to exploit this vulnerability. The specific flaw exists within the SafeBinaryFormatter library. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account.

Alternative Mitigation:

• Place strict permission controls on the ACM client folder holding layout files.

 This fixes the following vulnerability:

• CVE-2021-22570

These vulnerabilities are fixed in the ACM versions shown here:

• ACM 9.2.0 and later

Affected Products:

AUTOSOL ACM 9.0.x, 9.1.x

Description:

Nullptr dereference when a null character is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr.

Alternative Mitigation:

• Use firewall rules to prevent non-local connections to the OPCUA service port (configured in ACM Monitor).

 This fixes the following vulnerabilities:

• CVE-2023-27321

• CVE-2023-31048

These vulnerabilities are fixed in the ACM versions shown here:

• ACM 9.1.1 and later

Affected Products:

AUTOSOL ACM 9.0, ACM 9.0.1, ACM 9.1

Alternative Mitigation:

• Disable the OPC UA service via ACM Monitor.

• Contact AUTOSOL support to discuss modular upgrade options to mitigate this issue.

 This fixes the following vulnerabilities:

• CVE-2022-33916

  • CVSS 3.X Base Score: 7.5 High

These vulnerabilities are fixed in the ACM versions shown here:

• ACM 9.1 and later

Affected Products:

AUTOSOL ACM 9.0, ACM 9.0.1

Alternative Mitigation:

• Disable the OPC UA service via ACM Monitor.

• Contact AUTOSOL support to discuss modular upgrade options to mitigate this issue.

ACM Update for Emerson FloBoss 107^TM with firmware version 2.0

We now have an updated version of the ROC protocol for ACM 9.0.1 and later that will support the firmware upgrade of the following devices:

1. Emerson FloBoss^TM 107 to firmware version 2.0

2. Emerson ROC 800L to version 1.70

3. Emerson ROC 800 to version 3.90

If you have already upgraded the firmware for the Emerson FloBoss^TM 107 to version 2.0 and are unable to retrieve history this update will correct that.  Please contact your sales representative or AUTOSOL Customer Support to gain access to this fix.

Explanation

In November 2022, Emerson released new firmware for the Emerson FloBoss^TM 107 (version 2.0), Emerson ROC 800L (version 1.70) and Emerson ROC 800 (version 3.90).  In the new firmware for the Emerson ROC FloBoss 107s, point types 6, 7, 10, 41 & 42 were removed due to storage constraints in the device, and because their data was duplicated elsewhere.  ACM 9.0.1 and earlier are not compatible with this change.

Enabling security in the Emerson FloBoss^TM 107 , Emerson ROC 800s or ROC 800Ls in ACM

This support will formally be released in ACM 9.1 but if you wish to upgrade your firmware today and enable the security, AUTOSOL can provide a beta version of the new feature that makes use of the new security requirements.  The beta version will only work in 9.0 and later, and will be formally released in ACM 9.1 late spring/early summer 2023.  If this is something you are interested in, please contact your sales representative or AUTOSOL Customer Support.

ACM 9.0.1 and earlier cannot retrieve history or meter configuration data from an Emerson FloBoss 107 with firmware version 2.0. 

Explanation

In November 2022, Emerson released new firmware for the Emerson FloBoss^TM 107 (ver. 2.0), Emerson ROC 800L (ver. 1.70) and Emerson ROC 800 (ver. 3.90).  In the new firmware for the Emerson ROC FloBoss 107s, point types 6, 7, 10, 41 & 42 were removed due to storage constraints in the device, and because their data was duplicated elsewhere.  Current ACM releases rely on these point types and as a result, cannot retrieve meter configuration data or history from the Emerson ROC FloBoss 107.

What is being done about it

AUTOSOL is working on a solution.  When it is complete, AUTOSOL will provide hotfixes for all supported versions of ACM.

If you require assistance or additional information regarding the updated Emerson Firmware, please contact Emerson Support.

What about the Emerson ROC 800 and firmware version 1.70

You can upgrade your ROC 800s to firmware version 1.70 today and ACM will continue to work as normal as long as you have the security disabled in the device.

What if you want to enable security in the Emerson ROC 800s or ROC 800Ls and use ACM

If you wish to use ACM and enable the security, AUTOSOL can provide a beta version of the new feature that makes use of the new security requirements.  The new feature for the Emerson ROC 800s and 800Ls will only work in 9.0 and later, and will be formally released in ACM 9.1 late spring 2023.  If this is something you are interested in, please contact your sales representative or AUTOSOL Customer Support.

We will provide updates to this issue on this page.

Summary:

This latest version of AUTOSOL Communication Manager (ACM) 9.0.1 integrates the OPC UA .NET Standard Stack Version 1.4.369.30 from the OPC Foundation.

 This fixes the following vulnerabilities:

• CVE-2022-29862

  • CVSS 3.1 Base Score: 7.5 High

• CVE-2022-29863

  • CVSS 3.1 Base Score: 7.5 High

• CVE-2022-29864

  • CVSS 3.1 Base Score: 7.5 High

• CVE-2022-29865

  • CVSS 3.1 Base Score: 6.5 Medium

• CVE-2022-29866

  • CVSS 3.1 Base Score: 7.5 High

These vulnerabilities are fixed in the ACM versions shown here:

• ACM 9.0.1 and later

Affected Products:

AUTOSOL ACM 9.0

Alternative Mitigation:

• Disable the OPC UA service via ACM Monitor.

• Contact AUTOSOL support to discuss modular upgrade options to mitigate this issue.