Researchers investigate Industrial MMS Protocol Libraries, find old flaws
Take action: You should download the MMS Stack Detector and run a scan on your infrastructure. At least you will have a better understanding of your security posture and can communicate your risks to management clearly. It's understood that the first (and possibly only) action allowed will be "isolate the network" but with proper work with the vendor you may even be able to patch.
Learn More
Claroty’s Team82 has identified and reported five critical vulnerabilities in the Manufacturing Messaging Specification (MMS) protocol, which could pose significant risks to industrial control systems (ICS) by allowing attackers to crash devices or execute remote code in some scenarios.
The IEC 61850 standard, which governs MMS communication, is integral to the functioning of power sector systems. However, it relies on older protocols that have not kept up with modern security demands, making it a target for cyber threats.
The vulnerabilities are found in two key implementations which are widely used for communication between intelligent electronic devices (IEDs) and SCADA (Supervisory Control and Data Acquisition) systems in the power sector:
- MZ Automation’s libIEC61850 library
- Triangle Microworks’ TMW IEC 61850 library
Details of the Vulnerabilities
- CVE-2022-2970 (CVSS score 10.0): A stack-based buffer overflow in libIEC61850, allowing attackers to cause a device crash or execute arbitrary code remotely
- CVE-2022-2972 (CVSS score 10.0): Another stack-based buffer overflow in libIEC61850, also enabling remote code execution or device crashes
- CVE-2022-2971 (CVSS score 8.6): A type confusion issue in libIEC61850 that can be exploited to crash the server with a crafted payload
- CVE-2022-2973 (CVSS score 8.6): A null pointer dereference in libIEC61850, which can lead to a server crash
- CVE-2022-38138 (CVSS score 7.5): An uninitialized pointer vulnerability in Triangle MicroWorks’ library, which allows attackers to create a denial-of-service (DoS) condition
Impact and Mitigation
These vulnerabilities affect industrial devices by potentially disrupting the communication between IEDs and control centers, which is fundamental for the operation of digital substations and power grids.
Claroty has made a tool, MMS Stack Detector, available to help identify these vulnerabilities and to detect the specific implementations affected The affected vendors have issued patches, and CISA has published guidelines urging operators to update their systems.
