Alert: DNP3 Implementation Vulnerability

Friday, April 11, 2014 @ 04:04 PM gHale


Two researchers reported an improper input validation vulnerability to ICS-CERT that was evident in numerous slave and/or master station software products.

The researchers, Adam Crain of Automatak and Chris Sistrunk, Sr. Consultant for Mandiant, said the vulnerability is not with the DNP3 stack but with the implementation.

RELATED STORIES
Heartbleed Alert from ICS-CERT
Bypassing Heartbleed Bug
Flaw Found in TLS Protocol
Routers Hit in DNS Hijack

The research showed that some implementations were third-party components in other software packages. In an effort to bring more awareness, ICS-CERT issued an industry-wide alert.

This vulnerability can end up exploited remotely (over an IP-based implementation) as well as from the local system (through a serial-based implementation).

In the graphic below is a list of advisories that ICS-CERT produced in conjunction with the vendors who are producing patches or updates to mitigate the reported vulnerability.
041114dnp3
The outstation/slave can end up in an infinite loop or Denial of Service (DoS) condition by sending a specially crafted TCP packet from the master station on an IP-based network. If the device connects via a serial connection, the same attack can occur with physical access to the master station. The device must then shut down and restart to reset the loop state.

The master station can go into an infinite loop by sending a specially crafted TCP packet from the outstation/slave on an IP-based network. If the device connection is via a serial connection, the same attack can occur with physical access to the outstation. The device must shut down and restart to reset the loop state.

Crain and Sistrunk disclosed this vulnerability as part of a larger research project. Their outreach stems from their work with the DNP3 Standards Working group.

As this vulnerability affects Internet protocol-connected and serial-connected devices, two CVSS scores ended up calculated.

In the improper input validation via IP-based devices, an attacker could cause the software to go into an infinite loop with a specifically crafted TCP packet, causing the process to crash. The system must restart manually to clear the condition.

The following scoring is for IP-connected devices: A CVSS v2 base score of 7.1.

In the improper input validation via serial-based devices, an attacker could cause the software to go into an infinite loop, causing the process to crash. The system must restart manually to clear the condition.

The following scoring is for serial-connected devices: A CVSS v2 base score of 4.7.

While the IP-based vulnerability could suffer exploitation remotely, the serial-based vulnerability is not exploitable remotely. There must be local access to the serial-based outstation.

No known public exploits specifically target this vulnerability. However, an attacker with a moderate skill could craft an IP packet that would be able to exploit this vulnerability for an IP-based device.

An attacker with a high skill could exploit the serial-based vulnerability because there would need to be physical access to the device or some amount of social engineering.

Because fuzzing tool can identify this vulnerability, the researchers suggest developers use extensive negative testing during quality control of products. The researchers also suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DNP3-specific rule sets.



Leave a Reply

You must be logged in to post a comment.