TippingPoint Zero Day Initiative
 

(0Day) Eaton ELCSoft EPC File Parsing Out-Of-Bounds Access Remote Code Execution Vulnerability

ZDI-17-814: September 26th, 2017

CVSS Score

Affected Vendors

    Eaton

Affected Products

    ELCSoft

Vulnerability Details


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Eaton ELCSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of an EPC file. The process does not properly validate user-supplied data, which can result in memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the process.

Vendor Response

Eaton states:


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

03/23/2017 and 03/28/2017 - ZDI disclosed the reports to ICS-CERT
03/24/2017 - ICS-CERT provided ZDI with an ICS-VU#, ICS-VU-380351
03/28/2017 - ICS-CERT acknowledged all 7 reports from ZDI for this vendor
08/11/2017 - ZDI sent a status inquiry to ICS-CERT
08/11/2017 - ICS-CERT replied that the vendor is working with a 3rd party component and had no ETA
08/30/2017 - ZDI asks ICS-CERT to notify the vendor that these will 0-day on 9/26
09/15/2017 - ZDI reminded ICS-CERT that these will 0-day on 9/26

-- Mitigation:
Given the nature of the vulnerability the only salient mitigation strategy is to restrict interaction with the application to trusted files.


Disclosure Timeline

    2017-03-28 - Vulnerability reported to vendor
    2017-09-26 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:
    axt