MZ Automation has released IEC 60870-5-101/104 version 2.4.1, the latest update to our IEC 60870-5-101/104 C source code library.
This release focuses primarily on security, stability, and reliability. It addresses the vulnerabilities reported during recent weeks, including several issues affecting ASDU parsing, TLS certificate validation, message-length validation, and server communication.
Version 2.4.1 is not intended as a major feature release. However, it also includes a limited number of minor improvements and API additions.
Vulnerability Fixes
The release contains several important security corrections:
- Added message-length validation when parsing Information Object Addresses within ASDUs and information objects.
- Fixed an out-of-bounds read in the decoder for ASDU type S_IT_TC_1
(LIB8705-305, GHSA-f5xp-w6f3-vvrv). - Fixed a TLS certificate-validation bypass affecting the mbedTLS 2.28 integration when allowOnlyKnownCertificate=true and validateChain=false
(LIB8705-304, GHSA-fc2j-39h7-c7v9). - Removed the unencrypted TLS_RSA_WITH_NULL_SHA256 cipher suite from the default TLS configuration for both mbedTLS 2.28 and 3.6
(LIB8705-303). - Added validation of the ASDU Variable Structure Qualifier field against the expected payload size when creating an ASDU from a buffer
(GHSA-7v97-jmwv-w5j7).
Users are strongly encouraged to update to version 2.4.1, particularly when IEC 60870-5-101/104 is used in network-connected or security-sensitive environments.
Additional Improvements
Version 2.4.1 also introduces several smaller improvements:
- Added a mutex to protect Certificate Revocation List updates and access during runtime for the mbedTLS 2.28 and 3.6 integrations
(LIB8705-307). - Added the previously missing IntegratedTotalsForSecurityStatistics_getAID function.
- Added checks to determine whether an ASDU type permits multiple information objects before information objects are added to or read from an ASDU.
- Improved TLS renegotiation handling for mbedTLS 2.28 by driving renegotiation and processing timeouts through TLSSocket_tick, allowing precise time-based renegotiation intervals.
- Added validation of the user-provided index passed to CS101_ASDU_getElement.
- Added the TLSConfiguration_setMaxCertificateSize function and an optional maximum certificate-size check during the TLS handshake.
- Fixed the BufferFrame implementation
(LIB8705-313).
Other Bug Fixes
The release also resolves the following functional and stability issues:
- Fixed a CS104 server issue where switching connections without stopping the old connection could cause retransmissions to be sent out of order over the new connection
(LIB8705-283). - Fixed a potential deadlock in the CS104 server thread.
- Fixed a potential memory leak during TLS renegotiation when the peer certificate must be stored.
- Corrected the Cause of Transmission used by the CS101/104 client and master when sending a read command
(LIB8705-270).
Important Compatibility Notice
Customers using the secure authentication module must update it to the latest version when upgrading to IEC 60870-5-101/104 2.4.1 to ensure compatibility.
Updating to Version 2.4.1
Commercial customers with an active Maintenance and Support agreement can obtain the new release through the MZ Automation customer portal or via the official GitHub.
Because this release addresses multiple reported vulnerabilities, we recommend reviewing existing deployments and planning the update as soon as possible.
More information and updates can be found on our other platforms:
YouTube: https://www.youtube.com/@MZAutomation2014
LinkedIn: https://www.linkedin.com/company/mz-automation-gmbh/
