CISA issues alert on Emerson Appleton UPSMON-PRO buffer overflow vulnerability

Emerson's Appleton UPSMON-PRO, specifically versions 2.6 and earlier, contains a stack-based buffer overflow vulnerability that may permit remote code execution with system-level privileges.

The identified weakness, cataloged as CVE-2024-3871, affects the UPSMONProService component. It arises from processing a specially crafted User Datagram Protocol (UDP) packet sent to UDP port 2601, leading to buffer overflow and memory corruption. This issue has been assigned a Common Vulnerability Scoring System (CVSS) v3.1 base score of 9.8 and a v4 base score of 9.3, with vector strings Antivirus Software (AV):N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H in v3.1 and AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N in v4. The vulnerability is present in Appleton UPSMON-PRO firmware version 2.6 and prior releases.

Exploitation of this vulnerability can enable unauthorized remote attackers to execute arbitrary code on affected devices, potentially gaining full control at the system level.

Emerson has designated Appleton UPSMON-PRO as End of Life and does not provide active support or patches. Users of the product are advised to replace their installations. If replacement is not feasible, mitigation measures include blocking UDP port 2601 with firewall rules, isolating the Uninterruptible Power Supply (UPS) monitoring networks from general corporate networks, filtering out oversized UDP packets destined for port 2601, and monitoring for crashes of the UPSMONProSer.exe process as indicators of exploitation attempts.

Guidance for reducing exposure includes limiting network access to control system devices to prevent Internet accessibility, placing control networks behind firewalls and segregating them from business networks, and employing secure remote access techniques such as Virtual Private Networks updated to current versions, while recognizing inherent device security limitations. Organizations should conduct thorough impact assessments before implementing these measures. Additional resources and recommended practices for industrial control system security are available through CISA to assist in defense-in-depth strategies and proactive protection. Incidents of suspected exploitation should be reported to CISA. At present, no public reports of attacks exploiting this vulnerability have been identified.