CVE-2021-42536 Explained : Impact and Mitigation

Emerson WirelessHART Gateway is susceptible to a disclosure vulnerability that allows unauthorized access to peer username and password information. This CVE was reported by Amir Preminger of Claroty to CISA.

Understanding CVE-2021-42536

The Emerson WirelessHART Gateway is affected by a security issue that could expose sensitive credentials to unauthorized users.

What is CVE-2021-42536?

The vulnerability in the WirelessHART Gateway permits any user to read global variables, potentially disclosing peer username and password information.

The Impact of CVE-2021-42536

This vulnerability has a high impact on confidentiality, integrity, and availability of the affected systems, with a CVSS base score of 8 (High).

Technical Details of CVE-2021-42536

Emerson WirelessHART Gateway has the following technical details:

Vulnerability Description

The flaw allows all users to access and read global variables, leading to the exposure of peer credentials.

Affected Systems and Versions

Product: WirelessHART Gateway
Vendor: Emerson
Vulnerable Versions: 1410, 1410D, 1420 (<=4.7.94)

Exploitation Mechanism

The vulnerability is network-based and requires low privileges but user interaction for exploitation.

Mitigation and Prevention

To address CVE-2021-42536, follow these measures:

Immediate Steps to Take

Upgrade to version 4.7.105 of the Emerson WirelessHART Gateway.

Long-Term Security Practices

Regularly review access controls and permissions in the system.
Implement strong password policies and ensure confidential data encryption.

Patching and Updates

Emerson recommends upgrading to v4.7.105 to mitigate the disclosed vulnerabilities.
Obtain the updated version and instructions from the Emerson Gate Firmware site.
Users without a Guardian account should create one to access the updated firmware download process.