DNP3 Implementation Vulnerability

Monday, October 21, 2013 @ 06:10 PM gHale


There is an improper input validation vulnerability on numerous slave and/or master station software products that is not with the DNP3 stack but with the implementation.

DNP3 (Distributed Network Protocol) is a set of communications protocols used between components in process automation systems. Its main use is in utilities such as electric and water companies. Usage in other industries is not common. It is for communications between various types of data acquisition and control equipment. It plays a crucial role in SCADA systems, where it sees use with the SCADA Master Stations (aka Control Centers), Remote Terminal Units (RTUs), and Intelligent Electronic Devices (IEDs).

RELATED STORIES
Wonderware Fixes InTouch Vulnerability
Alstom Patches Software Vulnerability
Additional Patches for Rockwell
Philips Fixes Buffer Overflow

The research, conducted by Adam Crain of Automatak and independent researcher Chris Sistrunk, showed some implementations were third-party components in other software packages.

This vulnerability can end up exploited remotely (over an IP-based implementation) as well as from the local system (through a serial-based implementation).

Below is the noninclusive list of advisories that NCCIC/ICS-CERT created in conjunction with the vendors producing a patch or update to mitigate the reported vulnerability.

GE ICSA-13-297-02, Catapult Software ICSA-13-297-01, Alstom ICSA-13-282-01A, IOServer ICSA-13-161-01, IOServer ICSA-13-213-03, Kepware Technologies ICSA-13-226-01, MatrikonOPC ICSA-13-213-04A, Schweitzer Engineering Laboratories ICSA-13-219-01, Software Toolbox ICSA-13-234-02, SUBNET Solutions Inc. ICSA-13-252-01, and Triangle MicroWorks ICSA-13-240-01.

The outstation/slave can go into an infinite loop or Denial of Service (DoS) condition by sending a specially crafted TCP packet from the master station on an IP-based network. If the device connects via a serial connection, the same attack can occur with physical access to the master station. The device must shut down and then restart to reset the loop state.

The master station can go into an infinite loop by sending a specially crafted TCP packet from the outstation/slave on an IP-based network. If the device connects via a serial connection, the same attack can occur with physical access to the outstation. The device must shut down and then restarted to reset the loop state.

As this vulnerability affects Internet protocol-connected and serial-connected devices, there are two CVSS scores.

An attacker could cause the software to go into an infinite loop with a specifically crafted TCP packet, causing the process to crash. The system must restart manually to clear the condition. The following is for IP-connected devices: A CVSS v2 base score of 7.1.

For serial-connected devices, an attacker could cause the software to go into an infinite loop, causing the process to crash. The system must restart manually to clear the condition. The following is the CVSS v2 base score: 4.7.

The IP-based vulnerability is remotely exploitable, while the serial-based vulnerability is not. An attacker would need local access to the serial-based outstation.

An attacker with a moderate skill could craft an IP packet that would be able to exploit this vulnerability for an IP-based device.

An attacker with a high skill could exploit the serial-based vulnerability because physical access to the device or some amount of social engineering is required.

Because researchers identified this vulnerability with fuzzing tools, they said developers should use extensive negative testing during quality control of products. The researchers also suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DNP3-specific rule sets.



Leave a Reply

You must be logged in to post a comment.