CVE-2024-45970
📋 TL;DR
This critical vulnerability allows a malicious MMS server to trigger a stack-based buffer overflow in the MZ Automation LibIEC61850 client via specially crafted FileDirResponse messages. Successful exploitation could lead to remote code execution or denial of service. Systems using vulnerable versions of LibIEC61850 for MMS client functionality are affected.
💻 Affected Systems
- MZ Automation LibIEC61850
📦 What is this software?
Libiec61850 by Mz Automation
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full system compromise, allowing attacker to execute arbitrary code with the privileges of the MMS client process.
Likely Case
Denial of service causing the MMS client to crash, potentially disrupting industrial control system communications.
If Mitigated
Limited impact if proper network segmentation and input validation controls are in place, potentially only causing client crashes.
🎯 Exploit Status
Exploitation requires the vulnerable client to connect to a malicious server. No authentication is required to trigger the overflow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit ac925fae8e281ac6defcd630e9dd756264e9c5bc or later
Vendor Advisory: https://encs.eu/news/critical-security-vulnerabilities-discovered-in-mz-automations-mms-client/
Restart Required: Yes
Instructions:
1. Update LibIEC61850 to commit ac925fae8e281ac6defcd630e9dd756264e9c5bc or later. 2. Rebuild and reinstall the library. 3. Restart any applications using the library.
🔧 Temporary Workarounds
Network Segmentation
allRestrict MMS client connections to trusted servers only using firewall rules.
Input Validation Proxy
allDeploy a proxy that validates MMS FileDirResponse messages before forwarding to clients.
🧯 If You Can't Patch
- Implement strict network controls to allow MMS client connections only to trusted, verified servers.
- Monitor for abnormal MMS client crashes or unexpected behavior that could indicate exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check LibIEC61850 version or commit hash. If using source, verify it's before commit ac925fae8e281ac6defcd630e9dd756264e9c5bc.Check Version:
Check library version in application logs or use 'git log --oneline -1' in source directory.Verify Fix Applied:
Confirm LibIEC61850 is at commit ac925fae8e281ac6defcd630e9dd756264e9c5bc or later. Test MMS client functionality with known good servers.📡 Detection & Monitoring
Log Indicators:
- MMS client crashes, segmentation faults, or abnormal termination logs
Network Indicators:
- Unusual MMS FileDirResponse messages from untrusted sources, abnormal packet sizes
SIEM Query:
Search for: 'libiec61850' AND ('crash' OR 'segmentation fault' OR 'buffer overflow')