Circutor SGE-PLC1000 OS command Injection

Posted date 08/06/2021
Importance
5 - Critical
Affected Resources

SGE-PLC1000 firmware version 0.9.2b.

Description

INCIBE has coordinated the publication of a vulnerability in the SGE-PLC1000 device, with the internal code INCIBE-2021-0227, which has been discovered by the Industrial Cybersecurity team of S21sec, special mention to Aarón Flecha Menéndez.

CVE-2021-33841 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Solution

This issue can be solved through a firmware upgrade that has already been released by the vendor.

Detail

SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle some requests correctly, allowing a remote attacker to inject code into the operating system with maximum privileges.

This vulnerability was reported to Circutor and has been resolved since then in firmware versions later than the one affected.

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

Timeline:

04/07/2017 – Researchers disclosure.
17/08/2020 – Researchers contact with INCIBE.
26/03/2021 – Circutor confirms the vulnerability to INCIBE and confirms that the fix version and the release software patch have been published (Security Patch).      
08/06/20201 – The advisory is published by INCIBE.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración

References list
El camino del reporte (Episodio II), Concentrando la fuerza
Inyección de código en so gracias a aplicación web
Etiquetas