1C: Standard Subsystem Library

The main task of the BSP is to unify development processes and simplify the work of developers, so that configurations become more standardized, reliable and easily updated.

BSP is available only to registered users of 1C:Enterprise 8 products, version not lower than PROF, having a valid 1C:ITS contract, and 1C partners

History

2026: FSTEC warned about the exploit of a dangerous "hole" in the popular development tool "1C: Enterprises "

In early February, FSTEC warned of the discovery of a critical vulnerability BDU:2025-16208^[1] in the 1C: 1C:Subsystems Library (BSP) developer tool, which is part of the 1C:Enterprise 8 platform. The criticality level is defined as 9.0 (out of 10 according to CVSS version 3.1).

As TAdviser explained in "1C," the error was discovered on May 14, and by the end of the same month the developer had released fixes (versions 3.1.10.533 and 3.1.11.189). But in connection with the spread of the exploit for the vulnerability, FSTEC employees recommend that customers install the released "1C" fixes as quickly as possible.

𝓲

Фото: BIT.Asistent

Since BSP is the basic component for the vast majority of modern 1C:Enterprise 8 configurations, this vulnerability potentially affects thousands of implemented systems used for critical business processes throughout Russia and the CIS countries, - Timur Tsybdenov, leading engineer of Gazinformservice, noted the importance of eliminating this error.

The "standard subsystem library" for the "1C" platform is a set of ready-made subsystems and tools that simplify the development of application solutions. The main task of the BSP is to unify development processes and simplify the work of programmers. However, if it has disadvantages related to the control of the code generation process (CWE-94), then similar vulnerabilities arise.

Timur Tsybdenov noted that the technical reason for the disruption of the product was a drawback in the mechanism for validation and cleaning of the input symbol sequence during the generation of the BSP code. This allows an attacker to transmit specially crafted data that is interpreted by the system not as information for processing, but as instructions in the built-in "1C" language, which leads to the execution of arbitrary code.

Exploitation of these shortcomings allows a remote intruder to execute arbitrary code by injecting a malicious script.

The vulnerability is a high danger, as it allows a remote attacker to execute arbitrary code, "Alexey Korobchenko, head of the Security Code information security department, explained to TAdviser readers. - Theoretically, it can be used for mass attacks. However, in practice, most 1C systems operate inside local corporate networks and have limited external integration, which reduces the risks of mass incidents, but leaves a threat to targeted targeted attacks.

The general recommendation for protecting systems that include development tools is to restrict access to them from outsiders.

In the case of BSP, by analogy with the already published recommendations "1C" to limit the execution of "external code," many installations by default work with a number of built-in security mechanisms that reduce the area of ​ ​ attack and require either the participation of an administrator or compromise of an existing account, - said TAdviser Anatoly Peskovsky, head of security analysis at Informzaschita.

Mikhail Korotkov, head of the information security and IT support department "First Bit," recommends first of all updating the library in which the vulnerability was discovered. Then make an audit of access rights, and, if possible, limit the connection to 1C solutions from outside the corporate network - only by "white lists."

After the update, it is worth checking the system for abnormal behavior (especially at night and outside working hours), the expert points out. - It is necessary to proceed from the assumption that the intruder is inside the circuit and plans to move along it for at least three months - at least so much time should be spent observing the potential target of the attackers.

Notes