Circutor SGE-PLC1000/SGE-PLC50 Stack-Based Buffer Overflow Vulnerability in TACACSPLUS Implementation

A stack-based buffer overflow vulnerability has been identified in Circutor SGE-PLC1000 and SGE-PLC50 devices, both running version 9.0.2. This vulnerability allows remote exploitation of memory corruption through the 'read_packet()' function in the TACACSPLUS implementation.

Impact

Exploitation of this vulnerability leads to memory corruption, with the potential for remote code execution.

Remediation

Circutor SGE-PLC1000 and SGE-PLC50 units were discontinued in 2015 and replaced by the Compact DC, which became obsolete in November 2024. The current equivalent product is the GEDE EDC. For users with SGE-PLC1000 or SGE-PLC50 units, it is recommended to update to the latest available version (2.0.4) or, at a minimum, to 2.0.0. This not only mitigates the identified vulnerabilities but also provides new functionalities related to the evolution of DLMS, the PRIME standard, STG protocols, and the REST API.