CVE-2024-28286 Overview
CVE-2024-28286 is a NULL pointer dereference vulnerability in mz-automation libiec61850 version 1.4.0, an open-source library that implements the IEC 61850 communication protocols used in electrical substation automation. The flaw resides in the mmsServer_handleFileCloseRequest function within src/mms/iso_mms/server/mms_file_service.c. A remote attacker can send a crafted Manufacturing Message Specification (MMS) request that triggers a segmentation fault (SEGV), crashing the server process. The issue is classified as [CWE-476] and affects the availability of industrial control system (ICS) endpoints relying on this library.
Critical Impact
An unauthenticated remote attacker can crash IEC 61850 MMS server instances, disrupting communication in substation automation environments.
Affected Products
- mz-automation libiec61850 version 1.4.0
- Applications and devices embedding the affected libiec61850 MMS server component
- IEC 61850 substation automation deployments using the vulnerable release
Discovery Timeline
- 2024-03-21 - CVE-2024-28286 published to NVD
- 2025-06-02 - Last updated in NVD database
Technical Details for CVE-2024-28286
Vulnerability Analysis
The vulnerability is a NULL pointer dereference in the MMS file service handler of libiec61850. When the server processes a FileCloseRequest message via mmsServer_handleFileCloseRequest, it dereferences a pointer that can be NULL under specific request conditions. The dereference triggers a SIGSEGV, terminating the server process and breaking active MMS associations. Because IEC 61850 MMS is exposed over the network, the condition is reachable without authentication or user interaction, producing a denial-of-service impact on industrial automation services. The flaw is tracked under [CWE-476] (NULL Pointer Dereference).
Root Cause
The handler does not validate whether the file handle or related state object referenced by the incoming MMS FileClose request is valid before dereferencing it. When a client sends a FileClose request that references an unopened, invalid, or already-closed file frsmId, the corresponding pointer remains NULL, and the subsequent access causes the process to crash.
Attack Vector
Exploitation requires network access to the MMS server port (typically TCP/102 for IEC 61850). An attacker establishes an MMS association and submits a malformed or out-of-sequence FileClose request. No credentials or user interaction are required. See the GitHub Issue Discussion for technical reproduction details.
No verified public proof-of-concept code is available. The vulnerability is described in the upstream issue tracker without sanitized exploitation code.
Detection Methods for CVE-2024-28286
Indicators of Compromise
- Unexpected termination or repeated restarts of processes linking against libiec61850 1.4.0
- Core dumps showing a SIGSEGV inside mmsServer_handleFileCloseRequest or related MMS file service symbols
- MMS associations from unknown source IPs immediately followed by server disconnection events
Detection Strategies
- Monitor MMS server logs for abrupt session terminations following FileClose PDUs from unauthenticated peers
- Inspect network captures on TCP/102 for MMS FileClose requests referencing file IDs that were never opened in the same association
- Enable crash reporting on host operating systems to flag SIGSEGV events in IEC 61850 server binaries
Monitoring Recommendations
- Track process uptime and restart counts for IEC 61850 MMS services as a baseline anomaly metric
- Alert on repeated MMS session resets originating from the same external source within short time windows
- Forward host crash telemetry and ICS network flow logs into a centralized analytics platform for correlation
How to Mitigate CVE-2024-28286
Immediate Actions Required
- Inventory all systems and embedded devices that link against libiec61850 1.4.0 and identify those exposing MMS services
- Restrict network access to TCP/102 so only authorized engineering workstations and substation peers can reach the MMS server
- Place vulnerable IEC 61850 endpoints behind ICS-aware firewalls or data diodes where feasible
- Apply automated process supervision so that a crashed MMS server is restarted while remediation is pending
Patch Information
No fixed version is referenced in the NVD entry at the time of publication. Review the upstream GitHub Issue Discussion for patch status and upgrade to a release that addresses the NULL pointer dereference once available from mz-automation.
Workarounds
- Segment IEC 61850 MMS servers onto isolated control networks and block TCP/102 from general IT zones
- Enforce strict allow-lists at firewalls so only known substation peers can establish MMS associations
- Disable the MMS file services functionality at the application layer if it is not required for operations
- Monitor and rate-limit MMS connection attempts to reduce exposure to repeated crash attempts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
