Attacks on supervisory control and data acquisition (SCADA) and other industrial systems that use OpENer may take advantage of several vulnerabilities in the OpENer stack.
The OpENer EtherNet/IP (ENIP) stack, maintained by EIPStackGroup and built for I/O adapter devices, supports multiple I/O and explicit connections, implements the ENIP and CIP industrial protocols, and is widely used by major SCADA vendors.
Claroty, an industrial cybersecurity company, revealed five flaws in the OpENer stack this week that could be exploited by sending specially designed ENIP/CIP packets to a vulnerable system.
The first vulnerability is CVE-2021-27478 (CVSS 8.2), which is identified as an incorrect numeric type conversion bug that could result in a denial of service condition. The error is in the mechanism for parsing forward-open CIP link paths.
An attacker wishing to take advantage of the flaw will have to send a specially designed packet that can bypass existing checks and result in a long CIP link route.
The second vulnerability, CVE-2020-13556 (CVSS 9.8), is an out-of-bounds write that was also documented by Cisco Talos, which released details on it in December 2020. According to Cisco, the bug could be exploited by sending a specially designed series of network requests to gain remote code execution.
CVE-2021-27482 (CVSS score of 7.5) is an out-of-bounds read flaw that occurs because “no checks on the bytes read from the supplied packet” are present. As a result, an attacker who can send a specially designed ENIP/CIP packet to a compromised device can read arbitrary data.
The remaining two vulnerabilities (CVE-2021-27500 and CVE-2021-27498), both with a CVSS score of 7.5, are defined as “reachable statements” that could be exploited to trigger DoS conditions.
Both OpENer EtherNet/IP stack commits and versions prior to Feb 10, 2021 are vulnerable, according to a Thursday advisory from the Cybersecurity and Infrastructure Protection Agency (CISA), which also recommends implementing the new commits and taking steps to reduce the possibility of exploitation.
Control systems should not be open to the Internet, control system networks and remote devices should be secured by firewalls and segregated from the business network, and safe remote access methods should be used, such as VPNs that are upgraded to the latest versions.
“CISA advises organisations that before deploying protective initiatives, they should conduct a thorough impact analysis and risk evaluation. “Organizations should follow their defined internal protocols and report any alleged malicious activity to CISA for monitoring and correlation against other incidents,” the agency adds.