Researchers Uncover Major Security Vulnerabilities in Industrial MMS Protocol Libraries

Avatar
Details have emerged about multiple security vulnerabilities in two implementations of the Manufacturing Message Specification (MMS) protocol that, if successfully exploited, could have severe impacts in industrial environments. “The vulnerabilities could allow an attacker to crash an industrial device or in some cases, enable remote code execution,” Claroty researchers Mashav Sapir and Vera
[[{“value”:”

Details have emerged about multiple security vulnerabilities in two implementations of the Manufacturing Message Specification (MMS) protocol that, if successfully exploited, could have severe impacts in industrial environments.

“The vulnerabilities could allow an attacker to crash an industrial device or in some cases, enable remote code execution,” Claroty researchers Mashav Sapir and Vera Mens said in a new analysis.

MMS is an OSI application layer messaging protocol that enables remote control and monitoring of industrial devices by exchanging supervisory control information in an application-agnostic manner.

Specifically, it allows for communication between intelligent electronic devices (IEDs) and supervisory control and data acquisition (SCADA) systems or programmable logic controllers (PLCs).

The five shortcomings identified by the operational technology security company impact MZ Automation’s libIEC61850 library and Triangle MicroWorks’ TMW IEC 61850 library, and were patched in September and October 2022 following responsible disclosure –

CVE-2022-2970 (CVSS score: 10.0) – A stack-based buffer overflow vulnerability in libIEC61850 that could lead to a crash or remote code execution
CVE-2022-2971 (CVSS score: 8.6) – A type confusion vulnerability in libIEC61850 that could allow an attacker to crash the server with a malicious payload
CVE-2022-2972 (CVSS score: 10.0) – A stack-based buffer overflow vulnerability in libIEC61850 that could lead to a crash or remote code execution
CVE-2022-2973 (CVSS score: 8.6) – A null pointer deference vulnerability that could allow an attacker to crash the server
CVE-2022-38138 (CVSS score:7.5) – An access of uninitialized pointer vulnerability that allows an attacker to cause a denial-of-service (DoS) condition

Claroty’s analysis also found that Siemens SIPROTEC 5 IED relied on an outdated version of SISCO’s MMS-EASE stack for MMS support, which is susceptible to a DoS condition via a specially crafted packet (CVE-2015-6574, CVSS score: 7.5).

The German company has since updated its firmware with an updated version of the protocol stack as of December 2022, according to an advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The research highlights the “gap between modern technology’s security demands and the outdated, hard-to-replace protocols,” Claroty said, urging vendors to follow security guidelines issued by CISA.

The disclosure comes weeks after Nozomi Networks detailed two vulnerabilities in the reference implementation of Espressif’s ESP-NOW wireless protocol (CVE-2024-42483 and CVE-2024-42484) that could allow replay attacks and cause a DoS condition.

“Depending on the system being targeted, this vulnerability [CVE-2024-42483] can have profound consequences,” it said. “ESP-NOW is used in security systems such as building alarms, allowing them to communicate with motion sensors.”

“In such a scenario, an attacker could exploit this vulnerability to replay a previously intercepted legitimate ‘OFF’ command, thereby disabling a motion sensor at will.”

Alternatively, ESP-NOW’s use in remote door openers, such as automatic gates and garage doors, could be weaponized to intercept an “OPEN” command and replay it at a later time to gain unauthorized access to buildings.

Back in August, Nozomi Networks also shed light on a set of unpatched 37 vulnerabilities in the OpenFlow libfluid_msg parsing library, collectively dubbed FluidFaults, that an adversary could exploit to crash Software-Defined Networking (SDN) applications.

“An attacker with network visibility to an OpenFlow controller/forwarder can send a malicious OpenFlow network packet that leads to a denial-of-service (DoS) attack,” the company said.

In recent months, security flaws have also been uncovered in Beckhoff Automation’s TwinCAT/BSD operating system that could expose PLCs to logic tampering, DoS attacks, and even command execution with root privileges on the controller.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

Social Media Accounts: The Weak Link in Organizational SaaS Security

Next Post

Google Joins Forces with GASA and DNS RF to Tackle Online Scams at Scale

Related Posts

Master Certificate Management: Join This Webinar on Crypto Agility and Best Practices

In the fast-paced digital world, trust is everything—but what happens when that trust is disrupted? Certificate revocations, though rare, can send shockwaves through your operations, impacting security, customer confidence, and business continuity. Are you prepared to act swiftly when the unexpected happens? Join DigiCert’s exclusive webinar, "When Shift Happens: Are You Ready for Rapid
Avatar
Read More