Circutor COMPACT DC-S BASIC

Monitor6.8ICS-CERT ICSA-22-137-01May 17, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

The COMPACT DC-S BASIC power monitoring device contains a buffer overflow vulnerability (CWE-121) that could allow a remote attacker with valid credentials to execute arbitrary code on the device. Successful exploitation could disrupt power monitoring and control functions. Circutor has not provided a patch or security update, and the vendor has not responded to CISA coordination efforts.

What this means

What could happen

A buffer overflow in the COMPACT DC-S BASIC power management device could allow an authenticated attacker to execute arbitrary commands on the device, potentially disrupting power monitoring and control functions in your electrical distribution system.

Who's at risk

Water and electric utilities using Circutor COMPACT DC-S BASIC devices for DC power monitoring and management. These devices are typically found in power distribution substations, data centers, renewable energy installations (solar/wind), and backup power systems. Any organization relying on this device for power monitoring and control should assess their exposure.

How it could be exploited

An attacker with a valid user account on the device could send a specially crafted network request to exploit a buffer overflow condition. This would allow them to execute code with the same privileges as the device software, potentially compromising monitoring and control of DC power systems.

Prerequisites

Network access to the COMPACT DC-S BASIC device on port used for management/monitoring (typically port 80 or 443)
Valid login credentials for the device
Knowledge of the buffer overflow weakness to craft the malicious input

Remotely exploitable over networkBuffer overflow vulnerabilityNo patch available from vendorAffects power management and monitoring systemsVendor (Circutor) not actively addressing the issue

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

COMPACT DC-S BASIC: CIR_CDC_v1.2.17CIR CDC v1.2.17No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/4

HARDENINGIsolate COMPACT DC-S BASIC devices from direct Internet access; place them behind a firewall on a protected control network

HARDENINGRestrict network access to COMPACT DC-S BASIC management interfaces; only allow access from designated engineering workstations or administrative systems

HARDENINGRequire strong, unique login credentials for all COMPACT DC-S BASIC devices; rotate credentials periodically

WORKAROUNDIf remote access to COMPACT DC-S BASIC is required, use a VPN with up-to-date security patches and multi-factor authentication

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Circutor customer support to inquire about available patches or firmware updates, even though none are currently documented

Mitigations - no patch available

0/1

COMPACT DC-S BASIC: CIR_CDC_v1.2.17 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor COMPACT DC-S BASIC devices for suspicious activity; log all access attempts and configuration changes

CVEs (1)

CVE-2022-1669

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/53183ae7-30dc-4db6-aafd-025b00719eef