Advisory Details

August 7th, 2017

(0Day) Eaton ELCSoft Project File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

ZDI-17-519
ZDI-CAN-3960

CVE ID
CVSS SCORE 6.8, AV:N/AC:M/Au:N/C:P/I:P/A:P
AFFECTED VENDORS Eaton
AFFECTED PRODUCTS ELCSoft
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID ['24488']. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Eaton ELCSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within processing of EPC files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute arbitrary code in the context of the process.
ADDITIONAL DETAILS


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

09/08/2016 - ZDI disclosed the report to ICS-CERT
09/19/2016 - The vendor acknowledged receipt of the report through ICS-CERT and ICS-CERT provided ICS-VU-170656
11/01/2016 - The vendor requested additional details from ZDI through ICS-CERT
11/07/2016 - ZDI provided additional details as requested
03/13/2017, 03/17/2017, and 03/29/2017 - ICS-CERT replied that the vendor cannot validate these on the latest and asked if ZDI could re-vet against their latest version
04/05/2017 - ZDI replied that this report still hits
07/12/2017 - ZDI requested an update from ICS-CERT
07/13/2017 - ICS-CERT indicated that to their knowledge the vendor has not yet created a relevant patch
07/20/2017 - ZDI notified the vendor of the intention to publish the report as 0-day

-- Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.
DISCLOSURE TIMELINE
  • 2016-09-08 - Vulnerability reported to vendor
  • 2017-08-07 - Coordinated public release of advisory
CREDIT Ariele Caltabiano (kimiya)
BACK TO ADVISORIES