Circutor SGE-PLC1000 OS command Injection
SGE-PLC1000 firmware version 0.9.2b.
INCIBE has coordinated the publication of a vulnerability in the SGE-PLC1000 device, with the internal code INCIBE-2021-0227, which has been discovered by the Industrial Cybersecurity team of S21sec, special mention to Aarón Flecha Menéndez.
CVE-2021-33841 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
This issue can be solved through a firmware upgrade that has already been released by the vendor.
SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle some requests correctly, allowing a remote attacker to inject code into the operating system with maximum privileges.
This vulnerability was reported to Circutor and has been resolved since then in firmware versions later than the one affected.
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
Timeline:
04/07/2017 – Researchers disclosure.
17/08/2020 – Researchers contact with INCIBE.
26/03/2021 – Circutor confirms the vulnerability to INCIBE and confirms that the fix version and the release software patch have been published (Security Patch).
08/06/20201 – The advisory is published by INCIBE.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.
