Detections
Analytics

ABB RTU500 Series Infinite Loop in embedded OpenSSL (CVE-2022-0778)

high Tenable OT Security Plugin ID 501745

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A vulnerability exists in the OpenSSL version 1.0.2 that affects the RTU500 Series product versions listed below.

RTU500 series CMU Firmware versions 12.0.1 – 12.0.14 12.2.1 – 12.2.11 12.4.1 – 12.4.11 12.6.1 – 12.6.8 12.7.1 – 12.7.5 13.2.1 – 13.2.5 13.3.1 – 13.3.3 13.4.1

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.
Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self- signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1).
Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

Refer to the vendor advisory.

See Also

http://www.nessus.org/u?dcd01c29

https://www.openssl.org/news/secadv/20220315.txt

http://www.nessus.org/u?de7c40d9

http://www.nessus.org/u?2a52134e

https://www.cisa.gov/news-events/ics-advisories/icsa-23-143-02

http://www.nessus.org/u?10034489

Plugin Details

Severity: High

ID: 501745

Version: 1.1

Type: remote

Family: Tenable.ot

Published: 9/29/2023

Updated: 10/2/2023

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2022-0778

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:hitachienergy:rtu500_firmware

Required KB Items: Tenable.ot/ABB

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/15/2022

Vulnerability Publication Date: 3/15/2022

Reference Information

CVE: CVE-2022-0778

CWE: 835

DSA: DSA-5103

FEDORA: FEDORA-2022-8bb51f6901, FEDORA-2022-9e88b5d8d7, FEDORA-2022-a5f51502f0

GLSA: GLSA-202210-02