Roman Lozko

**Name of the Vulnerable Software and Affected Versions** Emerson OpenEnterprise versions up through 3.3.5 **Description** Inadequate encryption may allow the credentials used by Emerson OpenEnterprise to access field devices and external systems to be obtained. **Recommendations** For Emerson OpenEnterprise versions up through 3.3.5, update to a version later than 3.3.5 to ensure proper encryption of credentials. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Emerson OpenEnterprise versions through 3.3.4 **Description** Inadequate encryption may allow the passwords for user accounts to be obtained. **Recommendations** For Emerson OpenEnterprise versions through 3.3.4, update to a version that addresses the inadequate encryption issue to prevent passwords from being obtained.

**Name of the Vulnerable Software and Affected Versions** Emerson OpenEnterprise versions through 3.3.4 **Description** The issue is related to inadequate folder security permissions, which may allow modification of important configuration files. This could cause the system to fail or behave in an unpredictable manner. An attacker, acting remotely, could exploit this to cause a denial of service. **Recommendations** For Emerson OpenEnterprise versions through 3.3.4, consider restricting access to important configuration files to prevent unauthorized modifications until a patch is available. As a temporary workaround, review and tighten folder security permissions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Emerson OpenEnterprise versions through 3.3.4 **Description** The issue is related to the incorrect implementation of the authentication mechanism in the Emerson OpenEnterprise SCADA platform for remote oil and gas applications. This may allow an attacker to execute arbitrary commands with system privileges or perform remote code execution via a specific communication service by sending a specially crafted malicious service message. **Recommendations** For Emerson OpenEnterprise versions through 3.3.4, consider disabling the specific communication service that allows remote code execution until a patch is available. Restrict access to the system to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Emerson OpenEnterprise SCADA Server version 2.83 Emerson OpenEnterprise versions 3.1 through 3.3.3 **Description** A Heap-based Buffer Overflow issue allows a specially crafted script to execute code on the OpenEnterprise Server. This issue is present when Modbus or ROC Interfaces have been installed and are in use. **Recommendations** For Emerson OpenEnterprise SCADA Server version 2.83, update the system to prevent the exploitation of the Heap-based Buffer Overflow issue. For Emerson OpenEnterprise versions 3.1 through 3.3.3, update the system to prevent the exploitation of the Heap-based Buffer Overflow issue. As a temporary workaround, consider restricting access to the Modbus or ROC Interfaces until a patch is available.