Recently, multiple security vulnerabilities have been identified in two implementations of the Manufacturing Message Specification (MMS) protocol, which pose serious risks to industrial environments if exploited.
According to researchers Mashav Sapir and Vera Mens from Claroty, these vulnerabilities “could allow an attacker to crash an industrial device, or in some cases, facilitate remote code execution.”
MMS, a messaging protocol at the OSI application layer, is designed to allow remote control and monitoring of industrial devices by transmitting supervisory control information in a manner that is independent of specific applications. The protocol enables communication between intelligent electronic devices (IEDs) and systems such as supervisory control and data acquisition (SCADA) or programmable logic controllers (PLCs).
The operational technology (OT) security firm identified five vulnerabilities that affect the libIEC61850 library from MZ Automation and Triangle MicroWorks’ TMW IEC 61850 library . These vulnerabilities were patched in September and October 2022 following responsible disclosure:
- CVE-2022-2970 (CVSS score: 10.0) – A stack-based buffer overflow in the libIEC61850 library, which could result in a crash or enable remote code execution.
- CVE-2022-2971 (CVSS score: 8.6) – A type confusion vulnerability in libIEC61850 that could allow an attacker to crash the server by sending a malicious payload.
- CVE-2022-2972 (CVSS score: 10.0) – Another stack-based buffer overflow flaw in libIEC61850 with the potential to cause a crash or lead to remote code execution.
- CVE-2022-2973 (CVSS score: 8.6) – A null pointer dereference vulnerability in libIEC61850, which could allow an attacker to crash the server.
- CVE-2022-38138 (CVSS score: 7.5) – An access of uninitialized pointer vulnerability that can result in a denial-of-service (DoS) condition.
Additionally, Claroty’s analysis uncovered that Siemens’ SIPROTEC 5 IED used an outdated version of SISCO’s MMS-EASE stack for its MMS protocol, making it susceptible to a DoS condition when targeted with a specially crafted packet (CVE-2015-6574 , CVSS score: 7.5). Siemens addressed this issue by releasing a firmware update in December 2022, which included an updated version of the protocol stack, as detailed in an advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) .
Claroty’s research highlights the gap between the security demands of modern technology and the reliance on older, hard-to-replace protocols. The company encourages vendors to adhere to security guidelines recommended by CISA to mitigate future risks.
This disclosure follows a report by Nozomi Networks , which recently detailed two vulnerabilities in Espressif’s ESP-NOW wireless protocol reference implementation . These flaws, tracked as CVE-2024-42483 and CVE-2024-42484 , could allow replay attacks and trigger a DoS condition.
“Depending on the targeted system, this vulnerability [CVE-2024-42483] could have serious consequences,” Nozomi Networks stated. “ESP-NOW is used in security infrastructure such as building alarm systems, facilitating communication with motion sensors.”
In such cases, an attacker could exploit this vulnerability by replaying a previously intercepted legitimate ‘OFF’ command, effectively deactivating a motion sensor at will.
Similarly, ESP-NOW’s integration in remote door openers, such as automatic gates or garage doors, could be exploited by intercepting an “OPEN” command and replaying it later, granting unauthorized access to buildings.
In August, Nozomi Networks also highlighted FluidFaults , a collection of 37 unpatched vulnerabilities in the OpenFlow libfluid_msg parsing library. These flaws could allow an attacker to crash Software-Defined Networking (SDN) applications.
“An adversary with network access to an OpenFlow controller or forwarder could send a malicious OpenFlow network packet, triggering a denial-of-service (DoS) attack,” the company explained.
Additionally, new security weaknesses have been discovered in Beckhoff Automation’s TwinCAT/BSD operating system. These flaws could potentially expose Programmable Logic Controllers (PLCs) to logic tampering, DoS attacks, and even enable command execution with root privileges on the controller, posing significant risks to industrial infrastructure.