Advisory Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Eaton ELCSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of a Device Comment Range record in an EPC file. The issue results from the lack of proper validation of user-supplied data, which can result in a write to an arbitrary address. An attacker can leverage this vulnerability to execute arbitrary code under the context of the process.

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

03/23/2017 and 03/28/2017 - ZDI disclosed the reports to ICS-CERT
03/24/2017 - ICS-CERT provided ZDI with an ICS-VU#, ICS-VU-380351
03/28/2017 - ICS-CERT acknowledged all 7 reports from ZDI for this vendor
08/11/2017 - ZDI sent a status inquiry to ICS-CERT
08/11/2017 - ICS-CERT replied that the vendor is working with a 3rd party component and had no ETA
08/30/2017 - ZDI asks ICS-CERT to notify the vendor that these will 0-day on 9/26
09/15/2017 - ZDI reminded ICS-CERT that these will 0-day on 9/26

-- Mitigation:
Given the nature of the vulnerability the only salient mitigation strategy is to restrict interaction with the application to trusted files.

• 2017-03-23 - Vulnerability reported to vendor
• 2017-09-26 - Coordinated public release of advisory