MZ Automation libIEC61850

Act Now10ICS-CERT ICSA-22-251-01Sep 8, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

libIEC61850 is a widely used library for implementing IEC 61850 protocol communications in electrical substation automation devices. Versions 1.4 and earlier, as well as versions 1.5 up to commit a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10e, contain buffer overflow and null pointer dereference vulnerabilities (CWE-121, CWE-476). These flaws can be triggered by remote attackers sending malicious IEC 61850 protocol messages to affected devices, leading to denial of service or remote code execution without requiring credentials or user interaction.

What this means

What could happen

A remote attacker could crash any device running vulnerable libIEC61850 or execute arbitrary code on it, potentially disrupting power system communications or causing uncontrolled equipment behavior in electrical substations and switchyards.

Who's at risk

Operators of electrical substations, transmission and distribution systems, and other critical infrastructure that rely on IEC 61850 protocol devices using the vulnerable libIEC61850 library. This includes protective relays, merging units, intelligent electronic devices (IEDs), and network communication gateways in power systems.

How it could be exploited

An attacker on the network could send specially crafted IEC 61850 protocol packets to a device using vulnerable libIEC61850 to trigger a buffer overflow or null pointer dereference, allowing remote code execution or denial of service without requiring authentication or user interaction.

Prerequisites

Network access to a device running vulnerable libIEC61850 (typically port 102 for IEC 61850 protocol)
No authentication required
Attack does not require any special configuration of the target device

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (10.0)Buffer overflow enables arbitrary code executionAffects control system communications protocols

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

libIEC61850:≥ 1.5 | ≤ a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10eNo fix (EOL)

libIEC61850:≤ 1.4No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to libIEC61850-enabled devices: place them behind a firewall and block inbound connections from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate libIEC61850 to the latest version provided by MZ Automation

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: libIEC61850:, libIEC61850:. Apply the following compensating controls:

HARDENINGIsolate control system networks from business networks and the Internet

HARDENINGIf remote access to devices is needed, use a VPN with current security patches and strong access controls

CVEs (3)

CVE-2022-2970 CVE-2022-2972 CVE-2022-2973

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fdaa5159-1bbc-49e8-8cea-1d43f081305d