CVE-2024-31484

Name of the Vulnerable Software and Affected Versions CPC80 Central Processing/Communication versions prior to V16.41 CPCI85 Central Processing/Communication versions prior to V5.30 CPCX26 Central Processing/Communication versions prior to V06.02 ETA4 Ethernet Interface IEC60870-5-104 versions prior to V10.46 ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2 versions prior to V03.27 PCCX26 Ax 1703 PE, Contr, Communication Element versions prior to V06.05

Description A vulnerability has been identified in the affected devices, which contain an improper null termination issue while parsing a specific HTTP header. This could allow an attacker to execute code in the context of the current process or lead to a denial of service condition. The vulnerability is related to errors in null termination when analyzing a particular HTTP header, which may enable an attacker to execute arbitrary code or cause a service denial.

Recommendations For CPC80 Central Processing/Communication versions prior to V16.41, update to version V16.41 or later. For CPCI85 Central Processing/Communication versions prior to V5.30, update to version V5.30 or later. For CPCX26 Central Processing/Communication versions prior to V06.02, update to version V06.02 or later. For ETA4 Ethernet Interface IEC60870-5-104 versions prior to V10.46, update to version V10.46 or later. For ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2 versions prior to V03.27, update to version V03.27 or later. For PCCX26 Ax 1703 PE, Contr, Communication Element versions prior to V06.05, update to version V06.05 or later. As a temporary workaround, consider restricting access to the vulnerable HTTP header until a patch is available.