ICSNPP - Ethercat Zeek Plugin

Act Now9.8ICS-CERT ICSA-24-051-02Feb 20, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The ICSNPP Ethercat Zeek Plugin versions up to commit d78dda6 contain out-of-bounds write and read vulnerabilities (CWE-787, CWE-125) in the parsing of Ethercat protocol packets. Successful exploitation allows remote code execution on the monitoring system. The vulnerabilities are due to improper bounds checking during packet parsing.

What this means

What could happen

An attacker could execute arbitrary code on a system running the vulnerable Ethercat Zeek Plugin, potentially compromising network visibility and allowing manipulation of captured industrial control traffic data.

Who's at risk

Manufacturing plants and facilities using Zeek-based network monitoring to analyze Ethercat industrial control traffic should prioritize this. Organizations running the ICSNPP Ethercat plugin on monitoring systems that handle traffic from production equipment on the plant floor are most at risk.

How it could be exploited

An attacker sends a specially crafted Ethercat network packet to a system running the vulnerable plugin. The plugin parses the malformed packet without proper bounds checking, triggering a buffer overflow or out-of-bounds read that allows code execution on the monitoring system.

Prerequisites

Network access to the system running Zeek with the Ethercat plugin installed
The plugin must be actively monitoring network traffic containing Ethercat protocol packets

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8)affects network monitoring visibility

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Industrial Control Systems Network Protocol Parsers (ICSNPP) - Ethercat Zeek Plugin: <=d78dda6≤ d78dda6commit 3bca34c or later

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ICSNPP Ethercat Zeek Plugin to commit 3bca34c or later

HOTFIXKeep all critical software updates and patches current on systems running the Ethercat plugin

Long-term hardening

0/2

HARDENINGIsolate Zeek monitoring infrastructure behind firewalls, restricting network access to trusted sources only

HARDENINGEnsure Zeek and all associated plugins are not directly accessible from business networks or the internet

CVEs (3)

CVE-2023-7244 CVE-2023-7243 CVE-2023-7242

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e5812595-d034-4f3c-9d77-29dfa4d18db8