ABB RTU500 Series Buffer Overflow in embedded OpenSSL (CVE-2021-3711)

critical Tenable OT Security Plugin ID 501742

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A vulnerability exists in the OpenSSL Version 1.0.2 that affects the RTU500 Series product versions listed below.

RTU500 series CMU Firmware versions 12.0.1 – 12.0.14 12.2.1 – 12.2.11 12.4.1 – 12.4.11 12.6.1 – 12.6.8 12.7.1 – 12.7.5 13.2.1 – 13.2.5 13.3.1 – 13.3.3 13.4.1

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non- NULL value for the out parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

Refer to the vendor advisory.

See Also

https://www.openssl.org/news/secadv/20210824.txt

http://www.nessus.org/u?4e69aead

https://www.cisa.gov/news-events/ics-advisories/icsa-23-143-02

http://www.nessus.org/u?10034489

Plugin Details

Severity: Critical

ID: 501742

Version: 1.2

Type: remote

Family: Tenable.ot

Published: 9/29/2023

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-3711

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:hitachienergy:rtu500_firmware:-

Required KB Items: Tenable.ot/ABB

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/24/2021

Vulnerability Publication Date: 8/24/2021

Reference Information

CVE: CVE-2021-3711

CWE: 120

DSA: DSA-4963

GLSA: GLSA-202209-02, GLSA-202210-02

ICSA: 23-143-02