Emerson Ovation OCR400 Controller (ICS-19-148-01) – Product Used in the Water and Wastewater and Energy Sectors

The NCCIC has published an advisory on stack-based buffer overflow and heap-based buffer overflow vulnerabilities in Ovation OCR400 Controller. Devices running version 3.3.1 or earlier are affected. Successful exploitation of these vulnerabilities may allow privilege escalation or remote code execution, or it may halt the controller. Emerson is issuing a notice to its customer base with mitigation recommendations, encouraging users with this older software to upgrade to a more current version supported by Emerson and the third-party vendor. The NCCIC also describes a series of measures it recommends partners take to mitigate the vulnerabilities. Read the advisory at NCCIC/ICS-CERT.