Connect with us

Hi, what are you looking for?



Zeek Security Tool Vulnerabilities Allow ICS Network Hacking

Vulnerabilities in a plugin for the Zeek network security monitoring tool can be exploited in attacks aimed at ICS environments.

ICS network vulnerabilities

A plugin for the open source network security monitoring tool Zeek is affected by several vulnerabilities that threat actors could leverage in attacks aimed at industrial control system (ICS) environments.

The existence of the vulnerabilities was disclosed recently by the US security agency CISA. The agency’s ICS advisory describes two critical- and one high-severity vulnerabilities impacting the Ethercat plugin for Zeek. The security holes are tracked as CVE-2023-7244, CVE-2023-7243 and CVE-2023-7242.

The Ethercat plugin is one of the dozen ICS protocol parsers for Zeek, a widely used network security monitoring framework. Zeek is designed to run on a hardware, software or cloud system, quietly and unobtrusively observing network traffic for possible threats.

The Industrial Control System Network Protocol Parser (ICSNPP) plugins enhance Zeek’s capabilities, enabling it to look for malicious traffic associated with ICS-specific protocols such as Bacnet, Ethernet/IP, Modbus, OPC UA, S7comm, and Ethercat.

Cameron Whitehead of the University of Central Florida discovered that the Zeek plugin for the Ethercat industrial automation protocol is affected by potentially serious vulnerabilities. The researcher won several hacking competitions organized by the US Department of Energy in the past years. 

According to the official Zeek website, the tool has more than 10,000 deployments worldwide, and Whitehead told SecurityWeek that while the impacted plugin is optional, it has been automatically bundled with Zeek in several popular security software suites, such as Security Onion.

This means the vulnerabilities could expose environments beyond ICS, where the impacted plugin is most likely to be present. 

Exploitation of the vulnerabilities involves the attacker sending specially crafted packets over a network monitored by Zeek. In some cases this requires having access to the targeted organization’s network, but it may also be possible to conduct attacks directly from the internet.

Advertisement. Scroll to continue reading.

However, the researcher noted, “It’s hard to assess the scale of how many systems are affected, since you can’t search for things like ‘zeek monitors this network’ on Shodan, since there is no public indicator.”

In the most simple attack scenario, an attacker could exploit one of the vulnerabilities to repeatedly crash the Zeek process. In such an attack, which is reliable and involves only sending a single UDP packet, the hacker can prevent the targeted entity from using Zeek to monitor the network.

In a more complex attack scenario, which involves exploitation of all three vulnerabilities, an attacker who has limited access to a machine running Zeek could execute arbitrary code with elevated privileges. 

“Zeek is often run as the root or superuser in order to allow it to monitor a network, which would let the attacker significantly escalate their privileges by gaining access to that user,” Whitehead explained. 

The most concerning theoretical attack scenario involves targeting systems where certain security features, such as ASLR, are disabled or not available.

“An attacker could trivially compromise a computer monitoring a network and gain access to the ability to view all traffic in the network, potentially being able to sniff confidential information,” the researcher said. “This also would give an attacker a foothold to stage further attacks from within a trusted place in the environment.”

“This is done by just sending a couple of UDP packets to any machine on the monitored network, which can likely be done from anywhere on the internet for many networks,” he added.

Whitehead said it took roughly six weeks for the Ethercat plugin vulnerabilities to get patched, noting that a major redesign was needed and most of the code logic has been changed.

The researcher has also tested some of the other ICS-specific Zeek plugins and found that they are not impacted by the Ethercat vulnerabilities or similar flaws. 

“It was a kind of unusual situation where the Ethercat plugin specifically had a fairly different programming style and structure. A lot of what I do when I’m hunting for bugs is I look for code which seems to be different from what surrounds it. This code tends to have different, often worse, security considerations,” Whitehead explained. 

Update: Shortly after this article was published, the developers of Security Onion released a blog post to inform users that the current version of the product includes the updated version of the plugin and is not affected by the vulnerabilities.

Related: Remote Stuxnet-Style Attack Possible With Web-Based PLC Malware: Researchers

Related: Mitsubishi Electric Factory Automation Flaws Expose Engineering Workstations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.