Hirschmann Automation and Control HiOS and HiSecOS Products (ICSA-20-091-01)

CISA has published an advisory on a classic buffer overflow vulnerability in Hirschmann Automation and Control HiOS and HiSecOS Products. The following devices using HiOS Version 07.0.02 and lower are affected: RSP, RSPE, RSPS, RSPL, MSP, EES, EES, EESX, GRS, OS, RED. The following devices using HiSecOS Version 03.2.00 and lower are affected: EAGLE20/30. Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to overflow a buffer and fully compromise the device. Hirschmann recommends updating HiOS products to Version 07.0.03 or higher and HiSecOS products to Version 03.3.00 or higher. Hirschmann also recommends, as a workaround, users either use the “IP Access Restriction” feature to restrict HTTP and HTTPS to trusted IP addresses, or disable the HTTP and HTTPS server. CISA also recommends a series of measures to mitigate the vulnerability. Read the advisory at CISA.