Particulars have emerged about a number of safety vulnerabilities in two implementations of the Manufacturing Message Specification (MMS) protocol that, if efficiently exploited, may have extreme impacts in industrial environments.
“The vulnerabilities could allow an attacker to crash an industrial device or in some cases, enable remote code execution,” Claroty researchers Mashav Sapir and Vera Mens stated in a brand new evaluation.
MMS is an OSI utility layer messaging protocol that allows distant management and monitoring of commercial gadgets by exchanging supervisory management data in an application-agnostic method.
Particularly, it permits for communication between clever digital gadgets (IEDs) and supervisory management and knowledge acquisition (SCADA) methods or programmable logic controllers (PLCs).
The 5 shortcomings recognized by the operational know-how safety firm influence MZ Automation’s libIEC61850 library and Triangle MicroWorks’ TMW IEC 61850 library, and had been patched in September and October 2022 following accountable disclosure –
- CVE-2022-2970 (CVSS rating: 10.0) – A stack-based buffer overflow vulnerability in libIEC61850 that would result in a crash or distant code execution
- CVE-2022-2971 (CVSS rating: 8.6) – A sort confusion vulnerability in libIEC61850 that would permit an attacker to crash the server with a malicious payload
- CVE-2022-2972 (CVSS rating: 10.0) – A stack-based buffer overflow vulnerability in libIEC61850 that would result in a crash or distant code execution
- CVE-2022-2973 (CVSS rating: 8.6) – A null pointer deference vulnerability that would permit an attacker to crash the server
- CVE-2022-38138 (CVSS rating:7.5) – An entry of uninitialized pointer vulnerability that permits an attacker to trigger a denial-of-service (DoS) situation
Claroty’s evaluation additionally discovered that Siemens SIPROTEC 5 IED relied on an outdated model of SISCO’s MMS-EASE stack for MMS assist, which is vulnerable to a DoS situation through a specifically crafted packet (CVE-2015-6574, CVSS rating: 7.5).
The German firm has since up to date its firmware with an up to date model of the protocol stack as of December 2022, in keeping with an advisory launched by the U.S. Cybersecurity and Infrastructure Safety Company (CISA).
The analysis highlights the “gap between modern technology’s security demands and the outdated, hard-to-replace protocols,” Claroty stated, urging distributors to observe safety pointers issued by CISA.
The disclosure comes weeks after Nozomi Networks detailed two vulnerabilities within the reference implementation of Espressif’s ESP-NOW wi-fi protocol (CVE-2024-42483 and CVE-2024-42484) that would permit replay assaults and trigger a DoS situation.
“Depending on the system being targeted, this vulnerability [CVE-2024-42483] can have profound consequences,” it stated. “ESP-NOW is used in security systems such as building alarms, allowing them to communicate with motion sensors.”
“In such a scenario, an attacker could exploit this vulnerability to replay a previously intercepted legitimate ‘OFF’ command, thereby disabling a motion sensor at will.”
Alternatively, ESP-NOW’s use in distant door openers, equivalent to computerized gates and storage doorways, might be weaponized to intercept an “OPEN” command and replay it at a later time to achieve unauthorized entry to buildings.
Again in August, Nozomi Networks additionally make clear a set of unpatched 37 vulnerabilities within the OpenFlow libfluid_msg parsing library, collectively dubbed FluidFaults, that an adversary may exploit to crash Software program-Outlined Networking (SDN) purposes.
“An attacker with network visibility to an OpenFlow controller/forwarder can send a malicious OpenFlow network packet that leads to a denial-of-service (DoS) attack,” the corporate stated.
In latest months, safety flaws have additionally been uncovered in Beckhoff Automation’s TwinCAT/BSD working system that would expose PLCs to logic tampering, DoS assaults, and even command execution with root privileges on the controller.
