Security
Headlines
HeadlinesLatestCVEs

Headline

Researchers Uncover Major Security Vulnerabilities in Industrial MMS Protocol Libraries

Details have emerged about multiple security vulnerabilities in two implementations of the Manufacturing Message Specification (MMS) protocol that, if successfully exploited, could have severe impacts in industrial environments. “The vulnerabilities could allow an attacker to crash an industrial device or in some cases, enable remote code execution,” Claroty researchers Mashav Sapir and Vera

The Hacker News
#vulnerability#dos#git#intel#rce#buffer_overflow#auth#sap#The Hacker News

Industrial Security / Critical Infrastructure

Details have emerged about multiple security vulnerabilities in two implementations of the Manufacturing Message Specification (MMS) protocol that, if successfully exploited, could have severe impacts in industrial environments.

“The vulnerabilities could allow an attacker to crash an industrial device or in some cases, enable remote code execution,” Claroty researchers Mashav Sapir and Vera Mens said in a new analysis.

MMS is an OSI application layer messaging protocol that enables remote control and monitoring of industrial devices by exchanging supervisory control information in an application-agnostic manner.

Specifically, it allows for communication between intelligent electronic devices (IEDs) and supervisory control and data acquisition (SCADA) systems or programmable logic controllers (PLCs).

The five shortcomings identified by the operational technology security company impact MZ Automation’s libIEC61850 library and Triangle MicroWorks’ TMW IEC 61850 library, and were patched in September and October 2022 following responsible disclosure -

  • CVE-2022-2970 (CVSS score: 10.0) - A stack-based buffer overflow vulnerability in libIEC61850 that could lead to a crash or remote code execution

  • CVE-2022-2971 (CVSS score: 8.6) - A type confusion vulnerability in libIEC61850 that could allow an attacker to crash the server with a malicious payload

  • CVE-2022-2972 (CVSS score: 10.0) - A stack-based buffer overflow vulnerability in libIEC61850 that could lead to a crash or remote code execution

  • CVE-2022-2973 (CVSS score: 8.6) - A null pointer deference vulnerability that could allow an attacker to crash the server

  • CVE-2022-38138 (CVSS score:7.5) - An access of uninitialized pointer vulnerability that allows an attacker to cause a denial-of-service (DoS) condition

Claroty’s analysis also found that Siemens SIPROTEC 5 IED relied on an outdated version of SISCO’s MMS-EASE stack for MMS support, which is susceptible to a DoS condition via a specially crafted packet (CVE-2015-6574, CVSS score: 7.5).

The German company has since updated its firmware with an updated version of the protocol stack as of December 2022, according to an advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The research highlights the “gap between modern technology’s security demands and the outdated, hard-to-replace protocols,” Claroty said, urging vendors to follow security guidelines issued by CISA.

The disclosure comes weeks after Nozomi Networks detailed two vulnerabilities in the reference implementation of Espressif’s ESP-NOW wireless protocol (CVE-2024-42483 and CVE-2024-42484) that could allow replay attacks and cause a DoS condition.

“Depending on the system being targeted, this vulnerability [CVE-2024-42483] can have profound consequences,” it said. “ESP-NOW is used in security systems such as building alarms, allowing them to communicate with motion sensors.”

“In such a scenario, an attacker could exploit this vulnerability to replay a previously intercepted legitimate ‘OFF’ command, thereby disabling a motion sensor at will.”

Alternatively, ESP-NOW’s use in remote door openers, such as automatic gates and garage doors, could be weaponized to intercept an “OPEN” command and replay it at a later time to gain unauthorized access to buildings.

Back in August, Nozomi Networks also shed light on a set of unpatched 37 vulnerabilities in the OpenFlow libfluid_msg parsing library, collectively dubbed FluidFaults, that an adversary could exploit to crash Software-Defined Networking (SDN) applications.

“An attacker with network visibility to an OpenFlow controller/forwarder can send a malicious OpenFlow network packet that leads to a denial-of-service (DoS) attack,” the company said.

In recent months, security flaws have also been uncovered in Beckhoff Automation’s TwinCAT/BSD operating system that could expose PLCs to logic tampering, DoS attacks, and even command execution with root privileges on the controller.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

CVE-2022-38138

The Triangle Microworks IEC 61850 Library (Any client or server using the C language library with a version number of 11.2.0 or earlier and any client or server using the C++, C#, or Java language library with a version number of 5.0.1 or earlier) and 60870-6 (ICCP/TASE.2) Library (Any client or server using a C++ language library with a version number of 4.4.3 or earlier) are vulnerable to access given to a small number of uninitialized pointers within their code. This could allow an attacker to target any client or server using the affected libraries to cause a denial-of-service condition.

CVE-2022-2970

MZ Automation's libIEC61850 (versions 1.4 and prior; version 1.5 prior to commit a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10e) does not sanitize input before memcpy is used, which could allow an attacker to crash the device or remotely execute arbitrary code.