Cipster
Monthly
Out-of-bounds read in CIPster's EtherNet/IP symbolic path parser exposes industrial control systems to remote availability disruption and potential memory disclosure. The flaw resides in `CipAppPath::deserialize_symbolic` (source/src/cip/cipepath.cc), where unsafe `memcpy` calls copy attacker-controlled byte counts from a network-supplied CIP symbolic path segment into a fixed-size stack buffer without bounds enforcement, reachable by a remote unauthenticated attacker sending a crafted EtherNet/IP explicit messaging request. No active exploitation is confirmed (not in CISA KEV), but a POC exploit archive has been publicly released and the CVSS 4.0 E:P modifier corroborates exploit availability.
Out-of-bounds read in CIPster's EtherNet/IP symbolic path parser exposes industrial control systems to remote availability disruption and potential memory disclosure. The flaw resides in `CipAppPath::deserialize_symbolic` (source/src/cip/cipepath.cc), where unsafe `memcpy` calls copy attacker-controlled byte counts from a network-supplied CIP symbolic path segment into a fixed-size stack buffer without bounds enforcement, reachable by a remote unauthenticated attacker sending a crafted EtherNet/IP explicit messaging request. No active exploitation is confirmed (not in CISA KEV), but a POC exploit archive has been publicly released and the CVSS 4.0 E:P modifier corroborates exploit availability.