Alstom Software Bug Patch Update

Tuesday, October 22, 2013 @ 03:10 PM gHale


There is an update to the Alstom e-terracontrol software vulnerability where the company created a patch that mitigates improper input validation vulnerability, according to a report on ICS-CERT.

Adam Crain of Automatak and independent researcher Chris Sistrunk tested the patch to validate that it resolves the remotely exploitable vulnerability.

RELATED STORIES
DNP3 Implementation Vulnerability
Wonderware Fixes InTouch Vulnerability
Alstom Patches Software Vulnerability
Additional Patches for Rockwell

The following Alstom product suffers from the issue: e-terracontrol, Version 3.5, 3.6, and 3.7.

The master can end up in an infinite loop by sending a specially crafted TCP packet from the outstation on an IP-based network. If the user connects the device via a serial connection, the same attack can occur with physical access to the master station. The device must then shut down and restart to reset the loop state.

Alstom is a France-based company that maintains offices worldwide.

The affected product, Alstom e-terracontrol software, sees use in SCADA systems to monitor and control electrical energy systems. According to Alstom, e-terracontrol software sees deployment across the electric energy sector. Alstom estimated these products see use mainly in the U.S. and Europe with a small percentage in Asia.

As this vulnerability affects Internet Protocol-connected and Serial-connected devices, there are two CVSS scores.

The Alstom e-terracontrol DNP Master Driver incorrectly validates input. An attacker could cause the software to go into an infinite loop with a specifically crafted TCP packet, causing the process to crash. If the Alstom e-terracontrol settings end up configured to automatically restart, the DNP3 service will automatically restart and resume communications. Otherwise, the system must restart manually.

The following scoring is for IP-connected devices: CVE-2013-2787 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

The Alstom e-terracontrol DNP Master Driver incorrectly validates input. An attacker could cause the software to go into an infinite loop, causing the process to crash. If the Alstom e terracontrol settings end up configured to automatically restart, the DNP3 service will automatically restart and resume communications. Otherwise, the system must be restart manually.

The following scoring is for serial-connected devices: CVE- 2013-2818 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.

The IP-based vulnerability could end up exploited remotely, but the serial-based vulnerability is not exploitable remotely. There must be local access to the serial-based outstation.

No known public exploits specifically target this vulnerability, but an attacker with a moderate skill could craft an IP packet that would be able to exploit the vulnerability for an IP-based device.

An attacker with a high skill could exploit the serial-based vulnerability because there must be physical access to the device or some amount of social engineering.

Alstom produced a patch that is available for download from the Alstom Grid Customer Wise portal. Users should contact their Alstom representative for download information.



Leave a Reply

You must be logged in to post a comment.