Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.1924 Multiple vulnerabilities have identified in Eaton ELCSoft ELCSimulator 3 August 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Eaton ELCSoft Publisher: Zero Day Initiative Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Mitigation Original Bulletin: http://www.zerodayinitiative.com/advisories/ZDI-17-519 http://www.zerodayinitiative.com/advisories/ZDI-17-520 Comment: This bulletin contains two (2) Zero Day Initiative security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- (0Day) Eaton ELCSoft Project File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ZDI-17-519: August 2nd, 2017 CVSS Score 6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P) Affected Vendors Eaton Affected Products ELCSoft Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Eaton ELCSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within processing of EPC files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute arbitrary code in the context of the process. Vendor Response Eaton states: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. 09/08/2016 - ZDI disclosed the report to ICS-CERT 09/19/2016 - The vendor acknowledged receipt of the report through ICS-CERT and ICS-CERT provided ICS-VU-170656 11/01/2016 - The vendor requested additional details from ZDI through ICS-CERT 11/07/2016 - ZDI provided additional details as requested 03/13/2017, 03/17/2017, and 03/29/2017 - ICS-CERT replied that the vendor cannot validate these on the latest and asked if ZDI could re-vet against their latest version 04/05/2017 - ZDI replied that this report still hits 07/12/2017 - ZDI requested an update from ICS-CERT 07/13/2017 - ICS-CERT indicated that to their knowledge the vendor has not yet created a relevant patch 07/20/2017 - ZDI notified the vendor of the intention to publish the report as 0-day - -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. Disclosure Timeline 2016-09-08 - Vulnerability reported to vendor 2017-08-02 - Coordinated public release of advisory Credit This vulnerability was discovered by: Ariele Caltabiano (kimiya) - -------------------------------------------------------------------------------- (0Day) Eaton ELCSoft ELCSimulator Stack-based Buffer Overflow Remote Code Execution Vulnerability ZDI-17-520: August 2nd, 2017 CVSS Score 6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P) Affected Vendors Eaton Affected Products ELCSoft Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Eaton ELCSoft. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of network TCP requests by ELCSimulator.exe. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute arbitrary code in the context of the process. Vendor Response Eaton states: This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline. 10/11/2016 - ZDI disclosed the report to ICS-CERT 11/01/2016 - The vendor requested additional details from ZDI through ICS-CERT 11/07/2016 - ZDI provided additional details as requested 03/13/2017, 03/17/2017, and 03/29/2017 - ICS-CERT replied that the vendor cannot validate these on the latest and asked if ZDI could re-vet against their latest version 04/05/2017 - ZDI replied that this report still hits 07/12/2017 - ZDI requested an update from ICS-CERT 07/13/2017 - ICS-CERT indicated that to their knowledge the vendor has not yet created a relevant patch 07/20/2017 - ZDI notified the vendor of the intention to publish the report as 0-day - -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. Disclosure Timeline 2016-10-11 - Vulnerability reported to vendor 2017-08-02 - Coordinated public release of advisory Credit This vulnerability was discovered by: Ariele Caltabiano(kimiya) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWYKguIx+lLeg9Ub1AQiC0RAAo6g1bgpEd7dCS+vgqmx5d6VxfAC5KV5S NF0AG9J6RvjyEWz0BAe951DN+uekn67lYF/BZhOZEMzD4gFbKaWUo//Fn36TOKlC KLsgJHusDb6WMO9keP89n7vvtHbcbm1gyJW+3auvV/E/piI0Viu55R+iaJyzDKyI oHOe4jSKb6RFIEDKTAHcrVqNCwvnXIxgLSO8YkW7tQtixrrhfidwrVHhNCbswjsh 8KvQycxSTKlgS6FdHyEr1KZGl87q5rRALGIleSf6fYY5WBF+fRf/JM4yLejqEaDK hrJ0feNvStVqJVVL/ba9ctX+VjyiVOmmHtoSVv3aR0D10quDvcpTF+cdn68oqbCZ mbhVOLQ/vfWIsUHuN8rnqwnJKUU5RrYejpi42EPcgMKyDBjYB6udJEBFOtNCUfUO lTb3AXukV+Ofzif0DfvOtyGfRzMtbqN/ZLS6pKirV/sZEWzW3l8DfFI4+ZOuKvNA j6Alt5IYl3tjSr6ZH7w4eq2Nf5v3V+FCLO3B9WVPEZMzUAhzwx9JKMs1/8fLIaMi KV2e2TPkMhT0DwWLbzk2NPGHwmLi6EBh+JLPyIkUJXdYHffFjMeCo+2XddlDmw2a rlqjUJnC5+HRESStXBJYOB8utrCQ43maDwW23Qy2zWNXDbAFU4ZX4Xou5+uBWnnQ gYHynCqZLY0= =MOLt -----END PGP SIGNATURE-----