Full Report
The vulnerability affects PAC Control Basic and PAC Control Professional version R10.0а and earlier and could allow arbitrary code execution
Analysis Summary
# Vulnerability: Stack-based Buffer Overflow in Opto 22 PAC Control
## CVE Details
- **CVE ID:** CVE-2018-14815 (and related CVE-2018-14823)
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** PAC Control Basic and PAC Control Professional.
- **Versions:** R10.0a and all earlier versions.
- **Configurations:** Systems utilizing the PAC Control runtime environments for industrial automation and control logic.
## Vulnerability Description
The flaw is a stack-based buffer overflow vulnerability. It occurs when the application fails to properly validate the length of input data before copying it to a fixed-size stack buffer. An attacker can provide a specially crafted project file or malicious network packet that exceeds the buffer capacity, allowing for the overwriting of execution flow (e.g., return addresses) on the stack.
## Exploitation
- **Status:** PoC available (demonstrated by researchers); no confirmed widespread exploitation in the wild at time of reporting.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (Remote) / Local (via Malicious File).
## Impact
- **Confidentiality:** High (Potential for unauthorized data access).
- **Integrity:** High (Ability to modify control logic or system files).
- **Availability:** High (Potential for system crashes or complete takeover leading to process disruption).
## Remediation
### Patches
- **Update to Version R10.0b or later:** Opto 22 released PAC Project Software Suite R10.0b which addresses these vulnerabilities. Users should migrate to the latest stable version available on the manufacturer's website.
### Workarounds
- **Network Segmentation:** Ensure that controllers and engineering workstations are on a restricted network and not directly accessible from the internet.
- **Access Control:** Restrict access to PAC Control projects to authorized personnel only to prevent the loading of malicious project files.
- **Firewalling:** Block unnecessary ports and use industrial firewalls to monitor traffic to port 22001 (default communication port).
## Detection
- **Indicators of Compromise:** Unexpected service restarts, crashes of the PAC Control runtime, or unauthorized modifications to control strategies.
- **Detection methods and tools:** monitor for unusual network traffic patterns on control ports; utilize ICS-aware Intrusion Detection Systems (IDS) to identify malformed industrial protocol packets.
## References
- **Vendor Advisory:** hxxps[://]www[.]opto22[.]com/support/resources-tools/knowledgebase/kb86823
- **CISA Advisory:** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-18-242-01
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/09/11/buffer-overflow-vulnerabilities-in-industrial-automation-products-by-opto22/