CG Automation Fixes Improper Input Validation

Tuesday, August 26, 2014 @ 06:08 PM gHale


CG Automation updated its software to mitigate an improper input validation vulnerability in the ePAQ-9410 Substation Gateway DNP3 protocol components, according to a report on ICS-CERT.

CG Automation has tested the updated software to validate that it resolves the remotely exploitable vulnerability, discovered by Researchers Adam Crain of Automatak and Chris Sistrunk of Mandiant.

RELATED STORIES
Siemens Fixes SIMATIC S7-1500 CPU Hole
Siemens Updates OpenSSL Holes
SUBNET Hot Fix for Vulnerability
Innominate Patches mGuard Hole

All versions of the ePAQ-9410 Substation Gateway suffer from the issue.

Successful exploitation of this vulnerability could allow an attacker to affect the availability of the DNP3 Master Server software.

CG Automation is a U.S.-based company with other CG offices in several other countries around the world, including the U.S., UK, Netherlands, Italy, India, Germany, France, Czech Republic, China, and Australia.

The affected product, ePAQ-9410 Substation Gateway, is a gateway used in electric utility. According to CG Automation, ePAQ-9410 Substation Gateway deploys across the energy sector. CG Automation said this product sees use primarily in the United States and Europe with a small percentage in Asia and South America.

The CG Automation Software DNP3 driver, used in the ePAQ-9410 Substation Gateway products, does not validate input correctly. An attacker could cause the software to go into an infinite loop by sending a specifically crafted TCP packet, causing the process to crash.

The following scoring is for IP-connected devices: CVE-2014-0761 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

In terms of serial connected devices, the CG Automation Software DNP3 driver, used in the ePAQ-9410 Substation Gateway products, does not validate input correctly. An attacker could cause the software to go into an infinite loop, causing the process to crash. The system would have to manually restart to clear the condition.

The following scoring is for serial-connected devices: CVE-2014-0762 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.

While the IP-based vulnerability is remotely exploitable, the serial-based vulnerability is not. There would have to be local access to the serial-based outstation.

No known public exploits specifically target this vulnerability. An attacker with a moderate skill could craft a TCP packet that would be able to exploit the vulnerability for an IP-based device.

An attacker with a high skill could exploit the serial-based vulnerability because physical access to the device or there would have to be some amount of social engineering.

CG Automation has fixed this vulnerability with updated software. Users may obtain the updated software by downloading it from this web site.



Leave a Reply

You must be logged in to post a comment.