Festo SBRD-Q/SBOC-Q/SBOI-Q

Plan Patch8.2ICS-CERT ICSA-25-273-02Sep 22, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in the EtherNet/IP stack (from EIPStackGroup OpENer) affect Festo SBRD-Q controllers and SBOC-Q/SBOI-Q camera families. The flaws include buffer overread (CWE-125), type confusion (CWE-681), and divide-by-zero (CWE-617) conditions that can be triggered by malformed EtherNet/IP protocol messages sent over the network without authentication. Exploitation could result in device unavailability (denial of service) or potential data corruption. Festo has not released patches and does not plan to fix these products; mitigation requires network isolation and disabling the EtherNet/IP protocol if unused.

What this means

What could happen

An attacker could cause a denial of service (stopping operations) or potentially alter data on Festo SBRD-Q controllers and SBOC/SBOI cameras by exploiting flaws in their Ethernet/IP communication stack if network access is available.

Who's at risk

Water authorities and utilities operating Festo SBRD-Q process controllers or SBOC-Q/SBOI-Q camera systems for pump monitoring, valve control, or process automation should implement immediate compensating controls. This affects any facility using Festo modular controllers or industrial cameras with Ethernet/IP network connectivity.

How it could be exploited

An attacker on the same network segment or with network access to port 44818 (EtherNet/IP) could send malformed EtherNet/IP protocol packets to the device. The Ethernet/IP stack parsing vulnerabilities (buffer overread, type confusion) could trigger a crash or allow data manipulation without requiring authentication or user interaction.

Prerequisites

Network access to EtherNet/IP port 44818 (UDP/TCP)
Device must have EtherNet/IP enabled in settings
No credentials or special configuration required

remotely exploitableno authentication requiredlow complexityno patch availableaffects industrial control operations

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (20)

20 EOL

ProductAffected VersionsFix Status

SBOC-Q-R1BAll versionsNo fix (EOL)

SBOC-Q-R1CAll versionsNo fix (EOL)

SBOC-Q-R2BAll versionsNo fix (EOL)

SBOC-Q-R2B-S1All versionsNo fix (EOL)

SBOC-Q-R2CAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

SBRD-Q

HARDENINGIsolate SBRD-Q/SBOC-Q/SBOI-Q devices from the Internet and restrict network access using firewalls to only authorized engineering and operational networks

All products

WORKAROUNDDisable EtherNet/IP protocol in device settings if not required for operations

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SBOC-Q-R1B, SBOC-Q-R1C, SBOC-Q-R2B, SBOC-Q-R2B-S1, SBOC-Q-R2C, SBOC-Q-R3B-WB, SBOC-Q-R3C-WB, SBOC-Q-R3C-WB-S1, SBOI-Q-R1B, SBOI-Q-R1B-S1, SBOI-Q-R3B-WB, SBOI-Q-R3B-WB-S1, SBOI-Q-R3C-WB, SBOI-Q-R3C-WB-S1, SBRD-Q, SBOC-Q-R1B-S1, SBOC-Q-R1C-S1, SBOC-Q-R3B-WB-S1, SBOI-Q-R1C, SBOI-Q-R1C-S1. Apply the following compensating controls:

HARDENINGSegment control system networks from business networks to prevent lateral movement from compromised office systems

HARDENINGIf remote access is required, implement VPN with encryption and proper access controls rather than direct Internet exposure

CVEs (4)

CVE-2021-27478 CVE-2021-27482 CVE-2021-27500 CVE-2021-27498

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/70e10a06-cf30-4b40-8f95-53b0e6546bf2