Severe Bugs Reported in EtherNet/IP Stack for Industrial Systems

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an advisory warning of multiple vulnerabilities in the OpENer EtherNet/IP stack that could expose industrial systems to denial-of-service (DoS) attacks, data leaks, and remote code execution.

All OpENer commits and versions prior to February 10, 2021, are affected, although there are no known public exploits that specifically target these vulnerabilities.

The four security flaws were discovered and reported to CISA by researchers Tal Keren and Sharon Brizinov from operational technology security company Claroty. Additionally, a fifth security issue identified by Claroty was previously disclosed by Cisco Talos (CVE-2020-13556) on December 2, 2020.

“An attacker would only need to send crafted ENIP/CIP packets to the device in order to exploit these vulnerabilities,” the researchers said.

CVE-2020-13556 concerns an out-of-bounds write vulnerability in the Ethernet/IP server that could potentially allow an attacker to send a series of specially-crafted network requests to trigger remote code execution. It’s rated 9.8 out of 10 in severity.

The four other flaws disclosed to EIPStackGroup, the maintainers of the OpENer stack, in October 2020 are as follows —

  • CVE-2021-27478 (CVSS score: 8.2) – A bug in the manner Common Industrial Protocol (CIP) requests are handled, leading to a DoS condition
  • CVE-2021-27482 (CVSS score: 7.5) – An out-of-bounds read flaw that leverages specially crafted packets to read arbitrary data from memory
  • CVE-2021-27500 and CVE-2021-27498 (CVSS scores: 7.5) – Two reachable assertion vulnerabilities that could be exploited to result in a DoS condition

Vendors using the OpENer stack are recommended to update to the latest version while also taking protective measures to minimize network exposure for all control system devices to the internet, erect firewall barriers, and isolate them from the business network.

This is far from the first time security issues have been unearthed in EtherNet/IP stacks. Last November, Claroty researchers revealed a critical vulnerability uncovered in Real-Time Automation’s (RTA) 499ES EtherNet/IP stack could open up the industrial control systems to remote attacks by adversaries.