Eaton Addresses Fixed Vulnerability

Wednesday, November 25, 2015 @ 11:11 AM gHale

Eaton’s Cooper Power Systems has already released a revision that eliminates a conformance issue involving improper frame padding in an earlier version of Cooper Power Systems Form 6 controls and Idea/IdeaPLUS relays equipped with Ethernet, according to a report on ICS-CERT.

David Formby and Raheem Beyah of Georgia Tech identified the vulnerability caused by an Institute of Electrical and Electronics Engineers (IEEE) conformance issue.

Moxa Fixes OnCell Vulnerabilities
Tibbo Fixes Platform Vulnerabilities
Exemys Web Server Bypass Hole
Unitronics Fixes VisiLogic Holes

ICS-CERT issued an advisory as a notification of a new vulnerability in the previous software version. The researchers have tested the revision to validate it resolves the reported vulnerability.

Previous versions of Eaton’s Cooper Power Series Form 6 control and Idea/IdeaPLUS relays with Ethernet using Pro View 4.0 through Pro View 5.0 firmware versions suffers from the issue.

IEEE 802 specifies packets have a minimum size of 56 bytes. The Ethernet driver should fill the data field with octets of zero for padding when packets are less than 56 bytes. Resident memory and other data end up used for padding in some implementations that could cause information leakage. This attack is passive; the attacker can only see data the affected devices sent out as part of a packet.

Eaton’s Cooper Power Systems division is a U.S.-based company that maintains offices worldwide.

The affected products, Form 6 control and Idea/IdeaPLUS relay protection platforms, see action by power grid operators to apply protection and communications support for overcurrent devices such as reclosers and circuit breakers.

Eaton’s Cooper Power Systems division officials said these products see use primarily in the energy sector. Eaton’s Cooper Power Systems division estimates these products see use on a worldwide basis.

The data padding within the data field of the Ethernet pack should be all zeros. The previous implementation of firmware allowed other data from a known area of memory to end up used in this field and could exfiltrate or leak data.

CVE-2015-6471 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

The attacker would need to be the receiver of the packet (that contains leaked data) or along the path (e.g., on a local network that doesn’t use encryption).

ICS-CERT is unaware of any exploits that target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability. This is a passive attack; the attacker can only access the data contained within the packet.

Eaton’s Cooper Power Systems division has already developed and deployed ProView 5.1 firmware that mitigates this vulnerability, and the Form 6 control version released June 12. Idea/IdeaPLUS relay ProView software versions started posting June 30. Click here for more information on how to obtain and install new firmware versions.

Eaton’s Cooper Power Systems recommends asset owners using these products take the proper steps to ensure systemwide defense-in-depth strategies, as outlined in Eaton’s whitepaper WP152002EN.

For additional technical information, click here to contact Eaton’s Cooper Power Systems.