A critical vulnerability uncovered in Real-Time Automation’s (RTA) 499ES EtherNet/IP (ENIP) stack could open up the industrial control systems to remote attacks by adversaries.
RTA’s ENIP stack is one of the widely used industrial automation devices and is billed as the “standard for factory floor I/O applications in North America.”
“Successful exploitation of this vulnerability could cause a denial-of-service condition, and a buffer overflow may allow remote code execution,” the US cybersecurity and infrastructure agency (CISA) said in an advisory.
As of yet, no known public exploits have been found to target this vulnerability. However, “according to public search engines for Internet-connected devices (e.g. shodan.io) there are more than 8,000 ENIP-compatible internet-facing devices.”
Tracked as CVE-2020-25159, the flaw is rated 9.8 out of 10 in severity by the industry-standard Common Vulnerability Scoring System (CVSS) and impacts all versions of EtherNet/IP Adapter Source Code Stack prior to 2.28, which was released on November 21, 2012.
The stack overflow vulnerability was disclosed to CISA last month by Sharon Brizinov, a security researcher for operational technology security company Claroty.
Although it appears that RTA removed the attackable code from its software as early as 2012, it’s suspected that many vendors may have bought vulnerable versions of this stack before the 2012 update and integrated it into their own firmware, thereby putting multiple devices at risk.
“Eleven devices were found to be running RTA’s ENIP stack in products from six unique vendors,” the researchers said.
The flaw in itself concerns an improper check in the path parsing mechanism employed in Common Industrial Protocol (CIP) — a communication protocol used for organizing and sharing data in industrial devices — allowing an attacker to open a CIP request with a large connection path size (greater than 32) and cause the parser to write to a memory address outside the fixed-length buffer, thus leading to the potential execution of arbitrary code.
“The older code in the RTA device attempted to reduce RAM usage by limiting the size of a particular buffer used in an EtherNet/IP Forward Open request,” RTA said in its disclosure. “By limiting the RAM, it made it possible for an attacker to attempt to overrun the buffer and use that to try to get control of the device.”
Claroty researchers scanned 290 different ENIP-compatible modules, of which 11 devices from six different vendors were found to be using RTA’s ENIP stack. There are currently more than 8,000 ENIP-compatible internet-facing devices, according to a search on Shodan.
“Similarly to previous disclosures, such as Ripple20 or Urgent/11, this is another case of a vulnerable third-party core library putting products from [Industrial Control System] vendors at risk,” Brizinov noted in an analysis.
It’s recommended that operators update to current versions of the ENIP stack to mitigate the flaw. CISA also advised users to minimize network exposure for all control system devices and ensure that they are not accessible from the Internet.
“Locate control system networks and remote devices behind firewalls, and isolate them from the business network,” CISA said in its alert. “When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available.”