Real Time Automation EtherNet/IP
Act Now9.8ICS-CERT ICSA-20-324-03Nov 17, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A buffer overflow vulnerability exists in the Real Time Automation 499ES EtherNet/IP Adaptor TCP/IP stack (all versions below 2.28). Successful exploitation could cause denial-of-service conditions or allow remote code execution. No patch is currently available from the vendor. Real Time Automation should be contacted directly for support and additional technical details.
What this means
What could happen
A buffer overflow in the TCP/IP stack could allow an attacker to execute arbitrary code on the 499ES EtherNet/IP adapter, potentially disrupting communication with connected field devices or allowing the attacker to manipulate process control commands.
Who's at risk
Water utilities and electric facilities that use Real Time Automation 499ES EtherNet/IP adapters for field device communication and process monitoring should be concerned. These adapters are commonly used in pump stations, treatment plants, and distribution networks to bridge older industrial devices to modern control systems.
How it could be exploited
An attacker sends a specially crafted packet over the network to the 499ES adapter's TCP/IP stack. The buffer overflow in the TCP/IP stack is triggered, allowing the attacker to overwrite memory and execute arbitrary code with the privileges of the adapter process.
Prerequisites
- Network-level access to the 499ES EtherNet/IP adapter
- No authentication required
remotely exploitableno authentication requiredlow complexitybuffer overflow vulnerabilityno patch availableaffects critical OT infrastructure
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (1)
ProductAffected VersionsFix Status
499ES EtherNet/IP Adaptor Source Code a TCP/IP stack: All< 2.28No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/3HARDENINGRestrict network access to the 499ES adapter by placing it behind a firewall and limiting connections to trusted engineering workstations and control systems only
HARDENINGIsolate the control system network (where the 499ES is located) from the business/corporate network using network segmentation
WORKAROUNDContact Real Time Automation for security guidance and updates regarding this TCP/IP stack vulnerability
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGIf remote access to the control system is required, implement a VPN with current security patches and restrict access to authorized personnel only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e292ed27-e649-4baa-959d-9a40e626b72c