Ultra critical vulnerabilities in Hesman HiOS and HiSecOS secure operating systems

The Cybersecurity and Infrastructure Security Agency (CISA) released a security bulletin on March 31, revealing a security vulnerability in Hirschmann Automation and Control's HiOS and HiSecOS products.

Hessmann Automation and Control Company, founded in 1924, operates in the field of automation communication. Its product range includes mobile transmission and reception systems using analog and digital broadcasting and television transmission technologies, enterprise and industrial network solutions, and fieldbus systems. Hesman was acquired by Belden in 2007. Hesman HiOS and HiSecOS are both secure operating systems launched by Baitong.

According to the security bulletin released by Baitong, there is a buffer overflow vulnerability in the HTTP (S) web server of HiOS and HiSecOS, which can be exploited by remote attackers to invade the target device. No identity authentication is required to exploit this vulnerability. The existence of this vulnerability is caused by improper parsing of URL parameters. Attackers can exploit this vulnerability by using specially crafted HTTP requests to cause internal buffer overflow.

The vulnerability number is CVE-2020-6994, with a CVSS v3 rating of 9.8. Baitong acknowledged in the announcement the two researchers who reported the vulnerability, Sebastian Krause and Toralf Gimpel from GAI NetConsult in Germany.

Hesman RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED switches using HiOS 07.02 and earlier versions, and Hesman EAGLE 20/30 firewalls using HiSecOS0 3.2.00 and earlier versions are affected by this vulnerability.

The manufacturer has fixed the vulnerability and recommends that HiOS users update to version 07.03 or higher as soon as possible, and HiSecOS users update to version 03.3.00 or higher.

As a workaround, Baitong also recommends users to use the "IP Access Restriction" feature to restrict HTTP and HTTPS access to trusted IP addresses, or disable HTTP and HTTPS servers. hole