MMS Protocol: Security Flaws Expose Industrial Systems to Attack

Researchers from Claroty have identified several vulnerabilities in the implementation of the Manufacturing Message Specification (MMS) protocol, which poses a significant threat to industrial systems. These vulnerabilities enable attackers to disable devices or execute remote code.

MMS is an application-layer protocol in the OSI model that facilitates remote control and monitoring of industrial devices. It is used to exchange information between Intelligent Electronic Devices (IEDs) and SCADA systems or Programmable Logic Controllers (PLCs).

Claroty uncovered five vulnerabilities affecting the MZ Automation and Triangle MicroWorks libraries that support the MMS protocol. These vulnerabilities received high scores on the CVSS scale and have since been patched by the manufacturers.

• CVE-2022-2970 (score: 10.0) — a buffer overflow vulnerability in libIEC61850, which allows for remote code execution or system crashes;
• CVE-2022-2971 (score: 8.6) — a type confusion vulnerability enabling attackers to crash the server via a malicious packet;
• CVE-2022-2972 (score: 10.0) — another buffer overflow vulnerability, which can lead to code execution or system failure;
• CVE-2022-2973 (score: 8.6) — a null pointer dereference flaw causing server crashes;
• CVE-2022-38138 (score: 7.5) — an uninitialized pointer use, leading to a Denial of Service (DoS) attack.

Additionally, it was discovered that Siemens SIPROTEC 5 devices used an outdated version of the protocol stack, making them vulnerable to DoS attacks. Siemens has released a firmware update to address this issue.

Notably, all of the above vulnerabilities were identified and patched in 2022, but the information was only made public two years later to allow as many industrial systems as possible to update.

Cyberattacks in this sector can cause significant damage, as critical infrastructures such as factories, power plants, and transportation systems tend to follow the “if it works, don’t fix it” principle and rarely update their software. Any error in new code could halt operations, and therefore, few are willing to take that risk.

Disclosing these vulnerabilities immediately after their discovery could have given malicious actors time to prepare attacks on unpatched systems. Therefore, Claroty’s experts adhered to the principle of responsible disclosure, giving owners of vulnerable systems time to implement necessary updates and enhance security before the information was made public.

Claroty emphasized that these vulnerabilities starkly highlight the gap between modern security requirements and the continued use of outdated industrial protocols still in operation. Many systems, particularly in critical industries, rely on technologies introduced decades ago.

These protocols were developed without consideration for contemporary cyber threats, and replacing them is often a complex and resource-intensive task. The issue is exacerbated by the fact that updating such systems can result in production downtime, creating additional business risks.

As such, Claroty strongly recommends that equipment manufacturers and infrastructure owners pay close attention to the guidelines issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Following these instructions will not only help eliminate existing vulnerabilities but also improve the overall resilience of industrial systems against potential future attacks.