CVE-2020-18757 – CVE-2020-18757 is a vulnerability in Dut Comput... (How to Fix)

Q: What is the severity of CVE-2020-18757?

CVE-2020-18757 has a CVSS score of 7.5 (HIGH). CVE-2020-18757 is a vulnerability in Dut Computer Control Engineering Co.'s PLC MAC1100 that allows attackers to cause persistent denial of service via specially crafted network packets. This affects industrial control systems using the MAC1100 PLC, potentially disrupting critical operations in manufacturing, infrastructure, or other industrial environments.

📋 TL;DR

CVE-2020-18757 is a vulnerability in Dut Computer Control Engineering Co.'s PLC MAC1100 that allows attackers to cause persistent denial of service via specially crafted network packets. This affects industrial control systems using the MAC1100 PLC, potentially disrupting critical operations in manufacturing, infrastructure, or other industrial environments.

💻 Affected Systems

Products:

Dut Computer Control Engineering Co. PLC MAC1100

Versions: All versions prior to patch (specific version information not provided in references)

Operating Systems: Embedded PLC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all MAC1100 PLCs with network connectivity enabled. The vulnerability is in the network packet processing component.

📦 What is this software?

Mac1100 Plc Firmware by Dcce

View all CVEs affecting Mac1100 Plc Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete and persistent shutdown of PLC operations requiring physical reset or replacement, causing extended production downtime, safety system failures, or process disruptions in critical infrastructure.

🟠

Likely Case

Temporary or intermittent PLC unresponsiveness requiring manual intervention to restore functionality, leading to production delays and operational inefficiencies.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and isolation of attack attempts.

🌐 Internet-Facing: HIGH - If PLCs are directly exposed to the internet, they can be easily targeted by automated scanning and exploitation tools.

🏢 Internal Only: MEDIUM - Requires attacker to have network access, but industrial networks often have less security monitoring than IT networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository contains proof-of-concept code. Exploitation requires only network access to the PLC and knowledge of the crafted packet format.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found in provided references

Restart Required: Yes

Instructions:

1. Contact Dut Computer Control Engineering Co. for firmware updates or patches. 2. If patch is available, download from vendor portal. 3. Backup PLC configuration. 4. Apply firmware update following vendor instructions. 5. Restart PLC. 6. Restore configuration if needed.

🔧 Temporary Workarounds

Network Segmentation and Firewall Rules

all

Isolate PLCs from untrusted networks and restrict access to necessary IP addresses only

# Example firewall rule to restrict access (adjust IPs as needed)
iptables -A INPUT -p tcp --dport [PLC_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [PLC_PORT] -j DROP

Network Monitoring and Rate Limiting

linux

Implement network monitoring to detect attack patterns and rate limit traffic to PLCs

# Example rate limiting with iptables
iptables -A INPUT -p tcp --dport [PLC_PORT] -m limit --limit 10/min --limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp --dport [PLC_PORT] -j DROP

🧯 If You Can't Patch

Implement strict network segmentation with industrial DMZ architecture
Deploy intrusion detection systems specifically tuned for industrial protocols

🔍 How to Verify

Check if Vulnerable:

Test with proof-of-concept code from GitHub repository or attempt to send crafted packets to PLC port (not recommended in production). Monitor PLC responsiveness after network traffic.

Check Version:

Check PLC firmware version through vendor software or web interface (specific command varies by configuration)

Verify Fix Applied:

After applying workarounds, test that PLC remains responsive during normal operation and that unauthorized network access is blocked.

📡 Detection & Monitoring

Log Indicators:

PLC going offline unexpectedly
Multiple connection attempts to PLC port
PLC requiring manual reset

Network Indicators:

Unusual traffic patterns to PLC ports
Packets with malformed structure to PLC
Traffic from unauthorized IP addresses to PLC

SIEM Query:

source_ip NOT IN (trusted_ips) AND destination_port = [PLC_PORT] AND protocol = tcp

📊 Metadata

CVE ID: CVE-2020-18757

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-862

Published: August 13, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/Ni9htMar3/vulnerability/blob/master/PLC/DCCE/DCCE%20MAC1100%20PLC_DOS.md Exploit,Third Party Advisory
https://github.com/Ni9htMar3/vulnerability/blob/master/PLC/DCCE/DCCE%20MAC1100%20PLC_DOS.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-18757, you might also want to check these: