Circutor SGE-PLC1000/SGE-PLC50 Heap-Based Buffer Overflow Vulnerability

A heap-based buffer overflow vulnerability has been identified in Circutor SGE-PLC1000 and SGE-PLC50 devices, both running version 9.0.2. The vulnerability arises in the 'ShowSupervisorParameters()' function, where user input is copied to a fixed-size buffer using 'sprintf()' without proper size validation. This flaw allows an attacker to exploit memory corruption by providing excessively large input for the 'meter' parameter.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, causing memory corruption that could be exploited for arbitrary code execution.

Remediation

Circutor SGE-PLC1000 and SGE-PLC50 units were discontinued in 2015. Users are advised to update to the latest available version (2.0.4) for the current equivalent product, GEDE EDC. For units replaced by the Compact DC, which became obsolete in November 2024, no further action is specified.