Details have emerged of multiple security vulnerabilities in two implementations of the Production Notification Specification (MMS) a protocol that, if successfully used, can have serious consequences in an industrial setting.
“These vulnerabilities could allow an attacker to disable an industrial device or, in some cases, allow remote code execution,” Claroty researchers Mashaev Sapir and Vera Mens said in a new analysis.
MMS is OSI application layer messaging protocol which provides remote control and monitoring of industrial devices by exchanging dispatch control information in an application-independent manner.
In particular, it allows communication between intelligent electronic devices (IED) and supervisory control and data acquisition (SCADA) systems or programmable logic controllers (PLCs).
Five vulnerabilities identified by the operational technology security company affect MZ Automation libIEC61850 library and Triangle MicroWorks’ TMW IEC 61850 library, and were patched in September and October 2022 after responsible disclosure –
- CVE-2022-2970 (CVSS Score: 10.0) – Stack buffer overflow vulnerability in libIEC61850 that could lead to a crash or remote code execution
- CVE-2022-2971 (CVSS Score: 8.6) – A type confusion vulnerability in libIEC61850 that could allow an attacker to crash a server with a malicious payload
- CVE-2022-2972 (CVSS Score: 10.0) – Stack buffer overflow vulnerability in libIEC61850 that could lead to a crash or remote code execution
- CVE-2022-2973 (CVSS Score: 8.6) – A vulnerability that could allow an attacker to cause a server crash
- CVE-2022-38138 (CVSS Score: 7.5) – An uninitialized pointer access vulnerability allows an attacker to cause a denial of service (DoS) condition.
Claroty’s analysis also found that Siemens SIPROTEC 5 IED relied on an outdated version of SISCO’s MMS-EASE stack to support DoS-susceptible MMS via a specially crafted package (CVE-2015-6574CVSS score: 7.5).
The German company has since updated its firmware with an updated version of the protocol stack as of December 2022, according to advisory published by the US Cybersecurity and Infrastructure Security Agency (CISA).
The study highlights “a gap between the security requirements of today’s technology and outdated protocols that are difficult to replace,” Clarotti said, urging vendors to follow the security guidelines issued by CISA.
The disclosure comes weeks after Nozomi Networks detailed two vulnerabilities in Espressif’s ESP-NOW wireless protocol reference implementation (CVE-2024-42483 and CVE-2024-42484) that could allow replay attacks and cause a DoS condition .
“Depending on the system that is targeted, this vulnerability (CVE-2024-42483) could have serious consequences,” it said. said. “ESP-NOW is used in security systems such as building alarms, allowing them to communicate with motion sensors.”
“In such a scenario, an attacker could use this vulnerability to replay a previously intercepted legitimate OFF command, thereby disabling the motion sensor at will.”
Alternatively, the use of ESP-NOW in remote door openers such as automatic gates and garage doors can be used to intercept the OPEN command and replay it later to gain unauthorized access to buildings.
Back in August, Nozomi Networks also shed light on a set of 37 unpatched vulnerabilities in the OpenFlow parsing library libfluid_msg, collectively known as FluidFaults, that an adversary could use to crash software-defined networking (SDN).
“An attacker with network visibility of an OpenFlow controller/forwarder can send a malicious OpenFlow network packet that leads to a denial of service (DoS) attack,” the company said.
There have also been security flaws in recent months uncovered in Beckhoff Automation’s TwinCAT/BSD operating system, which can expose the PLC to logic monitoring, DoS attacks, and even executing commands with root privileges on the controller.
