Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Schneider Electric IGSS Data Server v15.0.0.22073 Integer Overflow

Critical

Synopsis

Tenable found an integer overflow vulnerability in Schneider Electric IGSS Data Server (IGSSdataServer.exe) v15.0.0.22052.

An integer Overflow condition exists when IGSSdataServer.exe appends an incoming ALMNOTE request to a heap-based buffer that already contains a request. The issue results from the lack of proper validation of user-supplied data before performing memory allocation. An unauthenticated remote attacker can exploit this, via multiple specially crafted messages, to cause heap-based buffer overflow, leading to denial of service and potentially remote code execution.

The following code snippet shows the vulnerability:

IGSSdataServer.exe v15.0.0.22052
<..snip...>
.text:0049D5C9 write_note:                             ; CODE XREF: FetchControl_ALMNOTE__appendRequest+22↑j
.text:0049D5C9    mov     eax, [ebp+almnote_ctx]
.text:0049D5CC    mov     ecx, [eax+ALMNOTE_CTX.cbData]
.text:0049D5CF    mov     edx, [ebp+pbMsgBody]
.text:0049D5D2    add     ecx, [edx+ALMNOTE_MSG.cbData] ; attacker-controlled size
.text:0049D5D2                                         ; int32 overflow -> small heap buf allocated
.text:0049D5D5    push    ecx
.text:0049D5D6    mov     eax, [ebp+almnote_ctx]
.text:0049D5D9    mov     ecx, [eax+ALMNOTE_CTX.pbInData]
.text:0049D5DC    push    ecx
.text:0049D5DD    call    ds:realloc
.text:0049D5E3    add     esp, 8
.text:0049D5E6    mov     edx, [ebp+almnote_ctx]
.text:0049D5E9    mov     [edx+ALMNOTE_CTX.pbInData], eax
.text:0049D5EC    mov     eax, [ebp+almnote_ctx]
.text:0049D5EF    cmp     [eax+ALMNOTE_CTX.pbInData], 0
.text:0049D5F3    jz      short loc_49D630
.text:0049D5F5    mov     ecx, [ebp+pbMsgBody]
.text:0049D5F8    mov     edx, [ecx+ALMNOTE_MSG.cbData]
.text:0049D5FB    push    edx                          ; attacker-controlled large size
.text:0049D5FC    mov     eax, [ebp+pbMsgBody]
.text:0049D5FF    add     eax, ALMNOTE_MSG.data
.text:0049D602    push    eax
.text:0049D603    mov     ecx, [ebp+almnote_ctx]
.text:0049D606    mov     edx, [ecx+ALMNOTE_CTX.pbInData] ; small heap buffer allocated
.text:0049D609    mov     eax, [ebp+almnote_ctx]
.text:0049D60C    add     edx, [eax+ALMNOTE_CTX.cbData]
.text:0049D60F    push    edx
.text:0049D610 copy large amount of data to a small
.text:0049D610 heap buffer -> buffer overflow
.text:0049D610    call    memcpy
<...snip...>

POC: 

python3 igss_dataserver_opcode_14_int32_overflow.py -t <target> -p 12401
python3 igss_dataserver_opcode_14_int32_overflow.py -t <target> -p 12401
python3 igss_dataserver_opcode_14_int32_overflow.py -t <target> -p 12401
Traceback (most recent call last):
  File "/work/0day/igss_dataserver_opcode_14_int32_overflow.py", line 45, in <module>
    s.connect((target, port))
ConnectionRefusedError: [Errno 111] Connection refused

Solution

Update to IGSS Data Server 15.0.0.22074 or higher

Proof of Concept

https://github.com/tenable/poc/blob/master/SchneiderElectric/IGSS/igss_dataserver_opcode_14_int32_overflow.py

Disclosure Timeline

March 9, 2022 - Vulnerabilities discovered
April 11, 2022 - Vulnerabilities reported to vendor
April 11, 2022 - Vendor assigned case numbers 6392 and 6393
April 19, 2022 - Vendor stated case number 6392 is a duplicate of CVE-2022-24324, resolved with version 15.0.0.22074 and referenced by advisory SEVD-2022-102-01 released April 12, 2022. Vendor asked for confirmation.
April 29, 2022 - Vendor asked for update.
May 2, 2022 - Tenable asked for clarification, noting that case 6392 reports an int32 overflow leading to heap-based buffer overflow, while CVE-2022-24324 refers to a stack-based overflow.
May 4, 2022 - Vendor agreed that memory scope is different. Vendor stated that CVE-2022-24324 along with CVE-2022-24310 is fixed in version 15.0.0.22021, resulting in the case 6392 integer overflow no longer existing in the current version.
May 24, 2022 - Vendor asked for update.
June 7, 2022 - Tenable asked for further clarification regarding case 6392, as the vendor noted two different fixed versions for CVE-2022-24324 in previous messages.
June 8, 2022 - Vendor acknowledged requests, stating questions were passed along to product team
June 14, 2022 - Vendor confirmed case 6392 was silently patched
June 15, 2022 - Tenable asked if silently patched case 6392 will receive a CVE and advisory

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2022-2329
Tenable Advisory ID: TRA-2022-13
CVSSv3 Base / Temporal Score:
9.8 / 8.8
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Affected Products:
Schneider Electric IGSS Data Server < 15.0.0.22074
Risk Factor:
Critical

Advisory Timeline

June 15, 2022 - Advisory published
July 12, 2022 - Added CVE and updated reference link