Eaton ELCSoft Programming Software Memory Vulnerabilities

Monitor7.3ICS-CERT ICSA-16-182-01Apr 3, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ELCSoft versions 2.4.01 and earlier contain out-of-bounds memory read and write vulnerabilities (CWE-122, CWE-121) that can be triggered remotely without authentication. A remote attacker can send specially crafted packets to read or corrupt memory in the ELCSoft process, leading to disclosure of sensitive data, arbitrary data writes, or denial of service.

What this means

What could happen

An attacker with network access to ELCSoft could trigger a memory corruption vulnerability to read sensitive data, write arbitrary data, or crash the software, potentially disrupting programming and maintenance of Eaton electrical controllers.

Who's at risk

Organizations using Eaton ELCSoft for programming and configuring Eaton electrical equipment (PLCs, motor controllers, programmable relays) should be concerned. This impacts electrical utilities, water authorities, industrial plants, and manufacturing facilities that rely on Eaton controllers for process automation.

How it could be exploited

An attacker sends a specially crafted network packet to ELCSoft (no authentication required). The packet triggers an out-of-bounds memory read or write due to improper input validation. This allows the attacker to execute commands in the context of ELCSoft or extract engineering data from memory.

Prerequisites

Network access to the machine running ELCSoft
No credentials required
ELCSoft version 2.4.01 or earlier

remotely exploitableno authentication requiredlow complexityno patch availablememory corruption (high severity)

Exploitability

Moderate exploit probability (EPSS 6.4%)

Affected products (1)

ProductAffected VersionsFix Status

ELCSoft: <=2.4.01≤ 2.4.01No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGIsolate ELCSoft systems from untrusted networks using network segmentation (firewall rules, air-gap from internet-facing systems)

HARDENINGRestrict access to ELCSoft to authorized engineering personnel only

Mitigations - no patch available

0/1

ELCSoft: <=2.4.01 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor for vendor security updates and plan for migration or replacement

CVEs (2)

CVE-2016-4512 CVE-2016-4509

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5392245c-50e6-4574-83e0-b5322a24a550