Login Sign Up

CVE-2020-6994

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in Hirschmann Automation and Control HiOS and HiSecOS allows remote attackers to execute arbitrary code by sending specially crafted HTTP requests. This affects multiple industrial control system devices including RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, and EAGLE20/30 models. The vulnerability stems from improper parsing of URL arguments in affected firmware versions.

💻 Affected Systems

Products:
  • RSP
  • RSPE
  • RSPS
  • RSPL
  • MSP
  • EES
  • EESX
  • GRS
  • OS
  • RED
  • EAGLE20
  • EAGLE30
Versions: HiOS Version 07.0.02 and lower, HiSecOS Version 03.2.00 and lower
Operating Systems: HiOS, HiSecOS
Default Config Vulnerable: ⚠️ Yes
Notes: All affected devices with vulnerable firmware versions are vulnerable by default. No special configuration required for exploitation.

📦 What is this software?

Hirschmann Hios by Belden

View all CVEs affecting Hirschmann Hios →

Hirschmann Hisecos by Belden

View all CVEs affecting Hirschmann Hisecos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, potential lateral movement within industrial networks, and disruption of critical industrial processes.

🟠

Likely Case

Device crash or denial of service affecting industrial automation systems, with potential for limited code execution in constrained environments.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict HTTP filtering and network segmentation, though buffer overflow could still cause device instability.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted HTTP requests to vulnerable devices. No authentication required, making this easily exploitable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HiOS Version 07.0.03 or higher, HiSecOS Version 03.2.01 or higher

Vendor Advisory: https://www.us-cert.gov/ics/advisories/icsa-20-091-01

Restart Required: Yes

Instructions:

1. Download updated firmware from Hirschmann support portal. 2. Backup current configuration. 3. Upload and install new firmware via web interface or CLI. 4. Reboot device. 5. Verify firmware version and restore configuration if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices in separate network segments with strict firewall rules limiting HTTP access.

HTTP Request Filtering

all

Implement web application firewall or proxy to filter malicious HTTP requests targeting URL arguments.

🧯 If You Can't Patch

  • Implement strict network access controls to limit HTTP traffic to affected devices from trusted sources only.
  • Monitor network traffic for unusual HTTP patterns and implement intrusion detection rules for buffer overflow attempts.

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or CLI. Compare against affected versions: HiOS ≤ 07.0.02 or HiSecOS ≤ 03.2.00.

Check Version:

show version (CLI) or check System Information in web interface

Verify Fix Applied:

Verify firmware version is HiOS ≥ 07.0.03 or HiSecOS ≥ 03.2.01. Test with controlled HTTP requests to confirm buffer overflow is prevented.

📡 Detection & Monitoring

Log Indicators:

  • Device crash logs
  • HTTP request errors
  • Buffer overflow warnings in system logs

Network Indicators:

  • Unusual HTTP traffic patterns
  • Malformed URL arguments in HTTP requests
  • Traffic to industrial device web interfaces from unexpected sources

SIEM Query:

source="industrial_device" AND (http_request CONTAINS "buffer" OR http_request CONTAINS "overflow" OR http_status=500)

📊 Metadata

CVE ID: CVE-2020-6994
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-12
Published: April 3, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON