CVE-2021-21778
A denial of service vulnerability exists in the ASDU message processing functionality of MZ Automation GmbH lib60870.NET 2.2.0. A specially crafted network request can lead to loss of communications. An attacker can send an unauthenticated message to trigger this vulnerability.
MZ Automation GmbH lib60870.NET 2.2.0
https://github.com/mz-automation/lib60870.NET
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-617 - Reachable Assertion
lib60870.NET is a .NET implementation of the IEC60870 protocol specification. This library can be used as a building block to implement communications defined within IEC60870 into a custom client/server application.
Contained within the lib60870.NET is an implementation of the IEC60870-5-104 (hereafter IEC104) protocol. IEC104 is a protocol used to transmit simple control messages between the central station and various outstations. It consists of a few information groupings: APDU, APCI, and (conditionally) ASDU. All message types contain the APDU and APCI while only Information Transfer control type messages (hereafter Type I) contain an ASDU. The layout of these message groups is similar to the following (ref: 60870-5-104 specification):
+---+---+---+---+---+---+---+---+ <--+---------+
| Start (0x68) | | |
+---+---+---+---+---+---+---+---+ | |
| Length | | |
+--> +---+---+---+---+---+---+---+---+ | |
| | Control Field Octet 1 | | |
| +---+---+---+---+---+---+---+---+ APCI |
| | Control Field Octet 2 | | |
| +---+---+---+---+---+---+---+---+ | APDU
| | Control Field Octet 3 | | |
Length +---+---+---+---+---+---+---+---+ | |
| | Control Field Octet 4 | | |
| +---+---+---+---+---+---+---+---+ <--+ |
| | | | |
| | ASDU | ASDU |
| | ... | | |
| | | | |
+--> +---+---+---+---+---+---+---+---+ <--+---------+
When an IEC104 Type I message is sent, the specification requires a length of at least (but often more than) nine bytes.
lib60870.NET performs a check to verify that a message of the proper size is being processed, however if the check fails an ASDUParsingException is triggered, causing the application to exit and stopping all communication until an application restart is performed.
The problematic code can be found in lib60870/CS101/ASDU.cs, a snippet of which is shown below:
public ASDU(ApplicationLayerParameters parameters, byte[] msg, int bufPos, int msgLength)
{
this.parameters = parameters;
int asduHeaderSize = 2 + parameters.SizeOfCOT + parameters.SizeOfCA;
// vulnerable code
if ((msgLength - bufPos) < asduHeaderSize)
throw new ASDUParsingException("Message header too small");
typeId = (TypeID)msg[bufPos++];
...
An example implementation of this code can be found in the IEC 60870-5-104 Test Tool application (IEC60870TestMaster.exe) which can be obtained from MZ Automation.
An unhandled exception occurred in IEC60870TestMaster.exe
Exception: lib60870.ASDUParsingException
Message: Message header too small
2021-02-04 - Vendor Disclosure
2021-04-26 - Public Release
Discovered by Jared Rittle of Cisco Talos.