Page tree
Skip to end of metadata
Go to start of metadata
TitleEtherNet/IP stack crash for specific CIP service
CVE-
Hilscher Ticket

AffectsHilscher EtherNet/IP Adapter V2 prior to V2.13.0.21
Not affected-
Impactdenial-of-service, remote code execution
CVSS7.5
Severity

HIGH 

Last modified

 

Vulnerability Description

Short Decription

A denial of service and memory corruption vulnerability could exist in Hilscher's EtherNet/IP Core V2 that could allow arbitrary code to be injected through the network or make the EtherNet/IP device crash without recovery.

Detailed Description

The EtherNet/IP Core V2 processes a CIP service request that is received from the network. During that process the attached service data is copied into an internal buffer without checking the size of the data being copied. This results in memory corruption (stack damage) that could be used for remote code injection. In addition, the EtherNet/IP device stops responding due to its courrupted stack, making it vulnerable to a denial-of-service attack.

Vulnerability Severity

CVSS v3 Base Score7.5
CVSS v3 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v3 Link:https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact / Implications

Specially crafted packets could cause

  • denial of service
  • remote code execution
  • code exposure

Workaround

N/A

Corrective Action or Resolution

Affected users should upgrade to the hotfix version of Hilscher's EtherNet/IP V2 adapter stack (V2.13.0.21): EtherNet/IP Adapter V2.13.0.21

Disclaimer

The security advisory and information contained herein, are provided on an "as is" basis and do not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. The information in this advisory should not be construed as a commitment by Hilscher. In no event shall Hilscher be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, nor shall Hilscher be liable for incidental or consequential damages arising from use of any software or hardware described in this advisory.
Hilscher provides no warranty, express or implied, for the information contained in this document, and assumes no responsibility for the information contained in this document or for any errors that may appear in this document. Your use of the advisory and information contained herein, or materials linked from the advisory, is at your own risk.  Information in this advisory and any related communications is based on our knowledge at the time of publication and is subject to change without notice. Hilscher reserves the right to change or update advisorys at any time.