CVE-2021-31346 in APOGEE MBCinfo

Summary

by MITRE • 11/09/2021

A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions), APOGEE PXC Compact (P2 Ethernet) (All versions), APOGEE PXC Modular (BACnet) (All versions), APOGEE PXC Modular (P2 Ethernet) (All versions), Capital VSTAR (All versions), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus ReadyStart V4 (All versions < V4.1.1), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions), TALON TC Modular (BACnet) (All versions). The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0007)

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 10/08/2024

This vulnerability resides within multiple industrial control systems manufactured by various vendors including APOGEE, Capital VSTAR, Nucleus, and TALON product lines. The flaw manifests in the handling of Internet Control Message Protocol packets where the system fails to properly validate the length field within the IP header. This oversight creates a potential buffer overflow condition or memory corruption scenario that can be exploited through crafted ICMP packets. The vulnerability affects both BACnet and P2 Ethernet communication protocols, indicating a widespread issue across different network implementations within these industrial control systems.

The technical nature of this vulnerability aligns with CWE-129, which describes improper validation of length parameters, and can be categorized under ATT&CK technique T1499.3 for network denial of service attacks. When an attacker sends an ICMP packet with an oversized payload length field, the system processes this without proper bounds checking, potentially causing memory corruption or information disclosure. The impact varies based on the specific memory layout and buffer organization within each device's implementation, making the vulnerability particularly dangerous as it may result in unpredictable behavior including system crashes, information leakage, or complete denial of service conditions that could disrupt critical industrial operations.

The operational implications of this vulnerability extend beyond simple network disruption to potentially compromise the integrity of industrial control systems that rely on these devices for critical infrastructure management. Given that these products are used in environments such as building automation, process control, and industrial monitoring systems, an attacker could exploit this weakness to gain unauthorized access to system information or cause service interruptions that might affect safety-critical operations. The vulnerability affects multiple generations of firmware and software implementations, suggesting that organizations may be exposed across their entire installed base of these industrial control devices.

Organizations should implement immediate mitigations including network segmentation to isolate affected devices from critical network segments, deployment of intrusion detection systems to monitor for suspicious ICMP traffic patterns, and application of firmware updates from vendors when available. Network administrators should also consider implementing access control lists to restrict ICMP traffic to only trusted sources and monitor for unusual payload sizes in network traffic. The vulnerability demonstrates the importance of proper input validation in embedded systems and highlights the need for comprehensive security testing of industrial control protocols. Organizations should conduct thorough vulnerability assessments across their industrial control system environments to identify all potentially affected devices and implement layered defensive measures to protect against exploitation attempts.

Reservation

04/15/2021

Disclosure

11/09/2021

Moderation

accepted

CPE

ready

EPSS

0.01902

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!