Security researchers have discovered a critical flaw in Real-Time Automation’s (RTA) 499ES EtherNet/IP (ENIP) stack that could be exploited by a remote attacker to hack the industrial control systems.

 

EtherNet/IP:  Ethernet/IP the Ethernet-Based Application Layer Protocol for Industrial Automation. It is transferred inside a TCP/IP Packet. That means that EtherNet/IP is simply the way data is organized in a TCP or UDP packet.

The vulnerability could cause a denial-of-service situation, and depending on other conditions, could expose a device running older versions of the protocol to remote code execution.

 

The vulnerability was tracked as CVE-2020-25159 and rated 9.8 out of 10 in severities by the industry-standard Common Vulnerability Scoring System (CVSS).

The flaw impacts all versions of EtherNet/IP Adapter Source Code Stack before 2.28, which was released on November 21, 2012.

 

Researchers disclosed details to Real-Time Automation (RTA), informing the vendor of a critical vulnerability in its proprietary 499ES EtherNet/IP (ENIP) stack. RTA’s ENIP stack is widely implemented in industrial automation systems.

 

Successful exploitation of this vulnerability could cause a denial-of-service condition, and a buffer overflow may allow remote code execution.

 

The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.

 

 

Claroty researchers were able to scan 290 unique ENIP-compatible devices, which identified 32 unique ENIP stacks. Eleven devices were found to be running RTA’s ENIP stack in products from six unique vendors.

Experts used the search engines for Internet-connected devices, like Shodan.io, to search for ENIP-compatible internet-facing devices. They discovered more than 8,000 systems exposed online.

 

Experts were that vendors may have bought vulnerable versions of this stack before the 2012 update and are still using it in their firmware.

However, many vendors may have bought vulnerable versions of this stack before the 2012 update, starting in the early 2000s when it was first issued, and integrated it into their own firmware. This would leave many running in the wild still today.

Operators have to update to current versions of the ENIP stack to address the vulnerability.

 

 

Recommendations: 

• Users are advised to minimize network exposure for all control system devices or systems and ensure that they are not accessible from the Internet.

 

• It is highly recommended to locate control system networks and remote devices behind firewalls, and isolate them from the business network.

 

• Always use secure methods when remote access is required, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that VPN is only as secure as the connected devices.