TippingPoint Zero Day Initiative
 

(0Day) Eaton ELCSoft Device Comment Range Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

ZDI-17-813: September 26th, 2017

CVSS Score

Affected Vendors

    Eaton

Affected Products

    ELCSoft

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 28025. For further product information on the TippingPoint IPS:

Vulnerability Details


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Eaton ELCSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of a Device Comment Range record in an EPC file. The issue results from the lack of proper validation of user-supplied data, which can result in a write to an arbitrary address. An attacker can leverage this vulnerability to execute arbitrary code under the context of the process.

Vendor Response

Eaton states:


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

03/23/2017 and 03/28/2017 - ZDI disclosed the reports to ICS-CERT
03/24/2017 - ICS-CERT provided ZDI with an ICS-VU#, ICS-VU-380351
03/28/2017 - ICS-CERT acknowledged all 7 reports from ZDI for this vendor
08/11/2017 - ZDI sent a status inquiry to ICS-CERT
08/11/2017 - ICS-CERT replied that the vendor is working with a 3rd party component and had no ETA
08/30/2017 - ZDI asks ICS-CERT to notify the vendor that these will 0-day on 9/26
09/15/2017 - ZDI reminded ICS-CERT that these will 0-day on 9/26

-- Mitigation:
Given the nature of the vulnerability the only salient mitigation strategy is to restrict interaction with the application to trusted files.


Disclosure Timeline

    2017-03-23 - Vulnerability reported to vendor
    2017-09-26 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:
    axt