Buffer Overflow Vulnerability in Hirschmann Automation and Control Products
CVE-2020-6994

9.8CRITICAL

Key Information:

Vendor: Hirschmann Automation And Control Gmbh, A Division Of Belden Inc.
Status: HiOS For The Following Devices Rsp, Rspe, Rsps, Rspl, Msp, Ees, Ees, Eesx, Grs, Os, Red; Hisecos For Device Eagle20/30
Vendor: CVE Published:; 3 April 2020

🔔 Create Hirschmann Automation And Control Gmbh, A Division Of Belden Inc. Vulnerability Alert

What is CVE-2020-6994?

A buffer overflow vulnerability has been identified in various devices of Hirschmann Automation and Control utilizing HiOS and HiSecOS. This issue arises from inadequate parsing of URL arguments, allowing attackers to exploit the vulnerability by sending specially crafted HTTP requests that can overflow an internal buffer. Devices operating on HiOS Version 07.0.02 or lower, such as the RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, and RED, as well as devices on HiSecOS Version 03.2.00 or lower, specifically EAGLE20 and EAGLE30, are at risk. Proactive measures should be taken to secure these devices as potential exploitation could lead to unauthorized access or control.

Affected Version(s)

HiOS for the following devices RSP, RSPE, RSPS, RSPL, MSP, EES, EES, EESX, GRS, OS, RED 07.0.02 and lower

HiSecOS for device EAGLE20/30 03.2.00 and lower

References

https://www.us-cert.gov/ics/advisories/icsa-20-091-01

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2020
Vulnerability Reserved
Jan 14, 2020

JSON