Catapult Software DNP3 Driver Bug

Wednesday, November 20, 2013 @ 06:11 PM gHale

Catapult Software created an update that fixes the improper input validation in its DNP3 Driver software, according to a report on ICS-CERT.

Adam Crain of Automatak and independent researcher Chris Sistrunk, who found the vulnerability, tested the updated software to validate that it resolves the vulnerability.

RELATED STORIES
GE Proficy DNP3 Improper Input Validation
Nordex NC2 XSS Vulnerability
WellinTech Patches KingView Holes
DNP3 Implementation Vulnerability

This driver sees use with General Electric (GE) Intelligent Platform’s Proficy iFIX and CIMPLICITY products.

The following Catapult Software product suffers from the remotely exploitable issue:
• Catapult Software DNP driver (“DNP”): Version 7.20.56
• Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) – iFIX or CIMPLICITY servers with the vulnerable I/O Driver installed (this includes iFIX or CIMPLICITY installations that are part of Proficy Process Systems).

The use of this driver can cause the human-machine interface (HMI) to go into a denial-of-service (DoS) condition by sending a specially crafted transmission control protocol (TCP) packet from the outstation on an IP-based network. If the device connects via a serial connection, the same attack can occur with physical access to the outstation. The device must shut down and then restarted to recover from the DoS.

New Zealand-based Catapult Software specializes in SCADA/HMI software development. The affected product, DNP 3.0 driver, sees use with GE Intelligent Platforms’ iFIX and CIMPLICITY products, which are Web-based SCADA/HMI systems. According to Catapult Software, the driver and SCADA systems deploy across several sectors, including oil and gas, water and wastewater, and electric utilities.

As this vulnerability affects Internet Protocol-connected and Serial-connected devices, there are two CVSS scores.

The Catapult Software DNP3 driver, used in the GE iFIX and CIMPLICITY products, does not validate input correctly. An attacker could cause the software to go into an infinite loop by sending a specifically crafted TCP packet, causing the process to crash.

CVE-2013-2811 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
The Catapult Software DNP3 driver, used in the GE iFIX and CIMPLICITY products, does not validate input correctly. An attacker could cause the software to go into an infinite loop, causing the process to crash. The system must restart manually to clear the condition.

The following scoring is for serial-connected devices: CVE- 2013-2823 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.

No known public exploits specifically target this vulnerability and an attacker with a moderate skill would be able to exploit this vulnerability.

An updated driver is available from Catapult Software. Installing Version 7.20.60 (GE IP 7.20k) of the DNP driver or newer will address this issue. The driver is available for download by registering for support.

In addition, the driver update is also available from GE.

The researchers suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DNP3-specific rule sets to add an additional layer of protection.



Leave a Reply

You must be logged in to post a comment.