ESB-2017.1924 - [Win] Eaton ELCSoft: Execute arbitrary code/commands - Remote/unauthenticated 2017-08-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1924
  Multiple vulnerabilities have identified in Eaton ELCSoft ELCSimulator
                               3 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Eaton ELCSoft
Publisher:         Zero Day Initiative
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Mitigation

Original Bulletin: 
   http://www.zerodayinitiative.com/advisories/ZDI-17-519
   http://www.zerodayinitiative.com/advisories/ZDI-17-520

Comment: This bulletin contains two (2) Zero Day Initiative security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

(0Day) Eaton ELCSoft Project File Parsing Heap-based Buffer Overflow Remote
Code Execution Vulnerability
ZDI-17-519: August 2nd, 2017
CVSS Score

    6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Affected Vendors

    Eaton

Affected Products

    ELCSoft

Vulnerability Details


This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Eaton ELCSoft. User interaction is required
to exploit this vulnerability in that the target must visit a malicious
page or open a malicious file.

The specific flaw exists within processing of EPC files. The issue results
from the lack of proper validation of the length of user-supplied data prior
to copying it to a fixed-length heap-based buffer. An attacker can leverage
this vulnerability to execute arbitrary code in the context of the process.
Vendor Response

Eaton states:


This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI 120 day deadline.

09/08/2016 - ZDI disclosed the report to ICS-CERT
09/19/2016 - The vendor acknowledged receipt of the report through ICS-CERT
and ICS-CERT provided ICS-VU-170656
11/01/2016 - The vendor requested additional details from ZDI through
ICS-CERT
11/07/2016 - ZDI provided additional details as requested
03/13/2017, 03/17/2017, and 03/29/2017 - ICS-CERT replied that the vendor
cannot validate these on the latest and asked if ZDI could re-vet against
their latest version
04/05/2017 - ZDI replied that this report still hits
07/12/2017 - ZDI requested an update from ICS-CERT
07/13/2017 - ICS-CERT indicated that to their knowledge the vendor has
not yet created a relevant patch
07/20/2017 - ZDI notified the vendor of the intention to publish the report
as 0-day

- -- Mitigation:
Given the nature of the vulnerability, the only salient mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the clients and servers that have a legitimate
procedural relationship with the service should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features
are available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and
numerous other Microsoft Knowledge Base articles.

Disclosure Timeline

    2016-09-08 - Vulnerability reported to vendor
    2017-08-02 - Coordinated public release of advisory

Credit
This vulnerability was discovered by:

    Ariele Caltabiano (kimiya)

- --------------------------------------------------------------------------------

(0Day) Eaton ELCSoft ELCSimulator Stack-based Buffer Overflow Remote Code
Execution Vulnerability
ZDI-17-520: August 2nd, 2017
CVSS Score

    6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Affected Vendors

    Eaton

Affected Products

    ELCSoft

Vulnerability Details


This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Eaton ELCSoft. Authentication is not required
to exploit this vulnerability.

The specific flaw exists within the processing of network TCP requests
by ELCSimulator.exe. The issue results from the lack of proper validation
of the length of user-supplied data prior to copying it to a fixed-length
stack-based buffer. An attacker can leverage this vulnerability to execute
arbitrary code in the context of the process.
Vendor Response
Eaton states:


This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI 120 day deadline.

10/11/2016 - ZDI disclosed the report to ICS-CERT
11/01/2016 - The vendor requested additional details from ZDI through
ICS-CERT
11/07/2016 - ZDI provided additional details as requested
03/13/2017, 03/17/2017, and 03/29/2017 - ICS-CERT replied that the vendor
cannot validate these on the latest and asked if ZDI could re-vet against
their latest version
04/05/2017 - ZDI replied that this report still hits
07/12/2017 - ZDI requested an update from ICS-CERT
07/13/2017 - ICS-CERT indicated that to their knowledge the vendor has
not yet created a relevant patch
07/20/2017 - ZDI notified the vendor of the intention to publish the report
as 0-day

- -- Mitigation:
Given the nature of the vulnerability, the only salient mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the clients and servers that have a legitimate
procedural relationship with the service should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features
are available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and
numerous other Microsoft Knowledge Base articles.

Disclosure Timeline

    2016-10-11 - Vulnerability reported to vendor
    2017-08-02 - Coordinated public release of advisory

Credit
This vulnerability was discovered by:

    Ariele Caltabiano(kimiya)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWYKguIx+lLeg9Ub1AQiC0RAAo6g1bgpEd7dCS+vgqmx5d6VxfAC5KV5S
NF0AG9J6RvjyEWz0BAe951DN+uekn67lYF/BZhOZEMzD4gFbKaWUo//Fn36TOKlC
KLsgJHusDb6WMO9keP89n7vvtHbcbm1gyJW+3auvV/E/piI0Viu55R+iaJyzDKyI
oHOe4jSKb6RFIEDKTAHcrVqNCwvnXIxgLSO8YkW7tQtixrrhfidwrVHhNCbswjsh
8KvQycxSTKlgS6FdHyEr1KZGl87q5rRALGIleSf6fYY5WBF+fRf/JM4yLejqEaDK
hrJ0feNvStVqJVVL/ba9ctX+VjyiVOmmHtoSVv3aR0D10quDvcpTF+cdn68oqbCZ
mbhVOLQ/vfWIsUHuN8rnqwnJKUU5RrYejpi42EPcgMKyDBjYB6udJEBFOtNCUfUO
lTb3AXukV+Ofzif0DfvOtyGfRzMtbqN/ZLS6pKirV/sZEWzW3l8DfFI4+ZOuKvNA
j6Alt5IYl3tjSr6ZH7w4eq2Nf5v3V+FCLO3B9WVPEZMzUAhzwx9JKMs1/8fLIaMi
KV2e2TPkMhT0DwWLbzk2NPGHwmLi6EBh+JLPyIkUJXdYHffFjMeCo+2XddlDmw2a
rlqjUJnC5+HRESStXBJYOB8utrCQ43maDwW23Qy2zWNXDbAFU4ZX4Xou5+uBWnnQ
gYHynCqZLY0=
=MOLt
-----END PGP SIGNATURE-----

« Back to bulletins