CVE-2022-21159 – CVE-2022-21159 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2022-21159?

CVE-2022-21159 has a CVSS score of 7.5 (HIGH). CVE-2022-21159 is a denial-of-service vulnerability in libiec61850's parseNormalModeParameters function where specially crafted IEC 61850 network messages can crash the service. This affects systems using MZ Automation's libiec61850 library version 1.5.0 for industrial control and energy automation communications.

📋 TL;DR

CVE-2022-21159 is a denial-of-service vulnerability in libiec61850's parseNormalModeParameters function where specially crafted IEC 61850 network messages can crash the service. This affects systems using MZ Automation's libiec61850 library version 1.5.0 for industrial control and energy automation communications.

💻 Affected Systems

Products:

MZ Automation GmbH libiec61850

Versions: Version 1.5.0

Operating Systems: Linux, Windows, Embedded systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any system using libiec61850 1.5.0 with IEC 61850 protocol enabled. Industrial control systems, SCADA systems, and energy automation equipment are primary targets.

📦 What is this software?

Libiec61850 by Mz Automation

View all CVEs affecting Libiec61850 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of IEC 61850-enabled devices, potentially affecting industrial control systems, power grid equipment, or substation automation systems.

🟠

Likely Case

Service crashes requiring manual restart of affected applications or devices, causing temporary operational disruption.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring; affected services automatically restart with minimal downtime.

🌐 Internet-Facing: MEDIUM - Requires specific IEC 61850 protocol knowledge and network access, but industrial systems should not be internet-facing.

🏢 Internal Only: HIGH - Within industrial networks, attackers with internal access could disrupt critical operations.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending malformed IEC 61850 messages to vulnerable endpoints. Public details available in Talos Intelligence reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libiec61850 1.5.1 and later

Vendor Advisory: https://github.com/mz-automation/libiec61850/commit/cfa94cbf10302bedc779703f874ee2e8387a0721

Restart Required: Yes

Instructions:

1. Update libiec61850 to version 1.5.1 or later. 2. Recompile any applications using the library. 3. Restart affected services. 4. Test IEC 61850 functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate IEC 61850 traffic to trusted networks only

Firewall Rules

linux

Restrict access to IEC 61850 ports (default 102) to authorized sources only

iptables -A INPUT -p tcp --dport 102 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 102 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit IEC 61850 traffic to trusted sources only
Deploy intrusion detection systems to monitor for malformed IEC 61850 messages and alert on suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check libiec61850 version: ldd --version on linked applications or check library files

Check Version:

strings /usr/lib/libiec61850.so | grep 'libiec61850' or check package manager

Verify Fix Applied:

Verify version is 1.5.1 or later and test with IEC 61850 message fuzzing tools

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Unexpected service restarts
Error logs mentioning parseNormalModeParameters

Network Indicators:

Unusual volume of IEC 61850 messages from single source
Malformed IEC 61850 packets on port 102/TCP

SIEM Query:

source_port:102 AND (packet_size:>1500 OR protocol_anomaly:true)

📊 Metadata

CVE ID: CVE-2022-21159

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: April 15, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/mz-automation/libiec61850/commit/cfa94cbf10302bedc779703f874ee2e8387a0721 Patch,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1467 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1467 Exploit,Third Party Advisory
https://github.com/mz-automation/libiec61850/commit/cfa94cbf10302bedc779703f874ee2e8387a0721 Patch,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1467 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1467 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21159, you might also want to check these: