Hilscher EtherNet/IP Adapter V2 prior to V126.96.36.199
denial-of-service, remote code execution
A denial of service and memory corruption vulnerability could exist in Hilscher's EtherNet/IP Core V2 that could allow arbitrary code to be injected through the network or make the EtherNet/IP device crash without recovery.
The EtherNet/IP Core V2 processes a CIP service request that is received from the network. During that process the attached service data is copied into an internal buffer without checking the size of the data being copied. This results in memory corruption (stack damage) that could be used for remote code injection. In addition, the EtherNet/IP device stops responding due to its courrupted stack, making it vulnerable to a denial-of-service attack.
The security advisory and information contained herein, are provided on an "as is" basis and do not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. The information in this advisory should not be construed as a commitment by Hilscher. In no event shall Hilscher be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, nor shall Hilscher be liable for incidental or consequential damages arising from use of any software or hardware described in this advisory. Hilscher provides no warranty, express or implied, for the information contained in this document, and assumes no responsibility for the information contained in this document or for any errors that may appear in this document. Your use of the advisory and information contained herein, or materials linked from the advisory, is at your own risk. Information in this advisory and any related communications is based on our knowledge at the time of publication and is subject to change without notice. Hilscher reserves the right to change or update advisorys at any time.