Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Schneider Electric IGSS Data Server v15.0.0.22073 Integer Overflow

Critical

Synopsis

Tenable found an integer overflow vulnerability in Schneider Electric IGSS Data Server (IGSSdataServer.exe) v15.0.0.22052.

An integer Overflow condition exists when IGSSdataServer.exe appends an incoming ALMNOTE request to a heap-based buffer that already contains a request. The issue results from the lack of proper validation of user-supplied data before performing memory allocation. An unauthenticated remote attacker can exploit this, via multiple specially crafted messages, to cause heap-based buffer overflow, leading to denial of service and potentially remote code execution.

The following code snippet shows the vulnerability:

IGSSdataServer.exe v15.0.0.22052
<..snip...>
.text:0049D5C9 write_note:                             ; CODE XREF: FetchControl_ALMNOTE__appendRequest+22↑j
.text:0049D5C9    mov     eax, [ebp+almnote_ctx]
.text:0049D5CC    mov     ecx, [eax+ALMNOTE_CTX.cbData]
.text:0049D5CF    mov     edx, [ebp+pbMsgBody]
.text:0049D5D2    add     ecx, [edx+ALMNOTE_MSG.cbData] ; attacker-controlled size
.text:0049D5D2                                         ; int32 overflow -> small heap buf allocated
.text:0049D5D5    push    ecx
.text:0049D5D6    mov     eax, [ebp+almnote_ctx]
.text:0049D5D9    mov     ecx, [eax+ALMNOTE_CTX.pbInData]
.text:0049D5DC    push    ecx
.text:0049D5DD    call    ds:realloc
.text:0049D5E3    add     esp, 8
.text:0049D5E6    mov     edx, [ebp+almnote_ctx]
.text:0049D5E9    mov     [edx+ALMNOTE_CTX.pbInData], eax
.text:0049D5EC    mov     eax, [ebp+almnote_ctx]
.text:0049D5EF    cmp     [eax+ALMNOTE_CTX.pbInData], 0
.text:0049D5F3    jz      short loc_49D630
.text:0049D5F5    mov     ecx, [ebp+pbMsgBody]
.text:0049D5F8    mov     edx, [ecx+ALMNOTE_MSG.cbData]
.text:0049D5FB    push    edx                          ; attacker-controlled large size
.text:0049D5FC    mov     eax, [ebp+pbMsgBody]
.text:0049D5FF    add     eax, ALMNOTE_MSG.data
.text:0049D602    push    eax
.text:0049D603    mov     ecx, [ebp+almnote_ctx]
.text:0049D606    mov     edx, [ecx+ALMNOTE_CTX.pbInData] ; small heap buffer allocated
.text:0049D609    mov     eax, [ebp+almnote_ctx]
.text:0049D60C    add     edx, [eax+ALMNOTE_CTX.cbData]
.text:0049D60F    push    edx
.text:0049D610 copy large amount of data to a small
.text:0049D610 heap buffer -> buffer overflow
.text:0049D610    call    memcpy
<...snip...>

POC: 

python3 igss_dataserver_opcode_14_int32_overflow.py -t <target> -p 12401
python3 igss_dataserver_opcode_14_int32_overflow.py -t <target> -p 12401
python3 igss_dataserver_opcode_14_int32_overflow.py -t <target> -p 12401
Traceback (most recent call last):
  File "/work/0day/igss_dataserver_opcode_14_int32_overflow.py", line 45, in <module>
    s.connect((target, port))
ConnectionRefusedError: [Errno 111] Connection refused

Solution

Update to IGSS Data Server 15.0.0.22074 or higher

Proof of Concept

https://github.com/tenable/poc/blob/master/SchneiderElectric/IGSS/igss_dataserver_opcode_14_int32_overflow.py

Disclosure Timeline

March 9, 2022 - Vulnerabilities discovered
April 11, 2022 - Vulnerabilities reported to vendor
April 11, 2022 - Vendor assigned case numbers 6392 and 6393
April 19, 2022 - Vendor stated case number 6392 is a duplicate of CVE-2022-24324, resolved with version 15.0.0.22074 and referenced by advisory SEVD-2022-102-01 released April 12, 2022. Vendor asked for confirmation.
April 29, 2022 - Vendor asked for update.
May 2, 2022 - Tenable asked for clarification, noting that case 6392 reports an int32 overflow leading to heap-based buffer overflow, while CVE-2022-24324 refers to a stack-based overflow.
May 4, 2022 - Vendor agreed that memory scope is different. Vendor stated that CVE-2022-24324 along with CVE-2022-24310 is fixed in version 15.0.0.22021, resulting in the case 6392 integer overflow no longer existing in the current version.
May 24, 2022 - Vendor asked for update.
June 7, 2022 - Tenable asked for further clarification regarding case 6392, as the vendor noted two different fixed versions for CVE-2022-24324 in previous messages.
June 8, 2022 - Vendor acknowledged requests, stating questions were passed along to product team
June 14, 2022 - Vendor confirmed case 6392 was silently patched
June 15, 2022 - Tenable asked if silently patched case 6392 will receive a CVE and advisory

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2022-2329
Tenable Advisory ID: TRA-2022-13
CVSSv3 Base / Temporal Score:
9.8 / 8.8
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Affected Products:
Schneider Electric IGSS Data Server < 15.0.0.22074
Risk Factor:
Critical

Advisory Timeline

June 15, 2022 - Advisory published
July 12, 2022 - Added CVE and updated reference link

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training