QwikSec

Security Database

CVE

CWE

Training

CVE-2020-15158

Published: Aug 26, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

7.7

HIGH

Description

In libIEC61850 before version 1.4.3, when a message with COTP message length field with value < 4 is received an integer underflow will happen leading to heap buffer overflow. This can cause an application crash or on some platforms even the execution of remote code. If your application is used in open networks or there are untrusted nodes in the network it is highly recommend to apply the patch. This was patched with commit 033ab5b. Users of version 1.4.x should upgrade to version 1.4.3 when available. As a workaround changes of commit 033ab5b can be applied to older versions.

Vendor	Product	Versions
mz-automation	libiec61850	affected `< 1.4.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

High

References

https://github.com/mz-automation/libiec61850/security/advisories/GHSA-pq77-fmf7-hjw8

x_refsource_CONFIRM

https://github.com/mz-automation/libiec61850/issues/250

x_refsource_MISC

https://github.com/mz-automation/libiec61850/commit/033ab5b6488250c8c3b838f25a7cbc3e099230bb

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.