TippingPoint Zero Day Initiative

(0Day) Eaton ELCSoft Project File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

ZDI-17-519: August 7th, 2017

CVSS Score

Affected Vendors


Affected Products


TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 24488. For further product information on the TippingPoint IPS:

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Eaton ELCSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within processing of EPC files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute arbitrary code in the context of the process.

Vendor Response

Eaton states:

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

09/08/2016 - ZDI disclosed the report to ICS-CERT
09/19/2016 - The vendor acknowledged receipt of the report through ICS-CERT and ICS-CERT provided ICS-VU-170656
11/01/2016 - The vendor requested additional details from ZDI through ICS-CERT
11/07/2016 - ZDI provided additional details as requested
03/13/2017, 03/17/2017, and 03/29/2017 - ICS-CERT replied that the vendor cannot validate these on the latest and asked if ZDI could re-vet against their latest version
04/05/2017 - ZDI replied that this report still hits
07/12/2017 - ZDI requested an update from ICS-CERT
07/13/2017 - ICS-CERT indicated that to their knowledge the vendor has not yet created a relevant patch
07/20/2017 - ZDI notified the vendor of the intention to publish the report as 0-day

-- Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.

Disclosure Timeline

    2016-09-08 - Vulnerability reported to vendor
    2017-08-07 - Coordinated public release of advisory


This vulnerability was discovered by:
    Ariele Caltabiano (kimiya)