Eaton Fixes Power System Hole

Friday, July 17, 2015 @ 06:07 PM gHale

Eaton’s Cooper Power Systems created a patch to mitigate a predictable TCP sequence vulnerability in its Form 6 controls and Idea/IdeaPLUS relays with Ethernet application, according to a report on ICS-CERT.

The researchers that discovered the remotely exploitable vulnerability, Dr. Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech, via a research project partially sponsored by the Georgia Tech National Electric Energy Testing Research and Applications Center (NEETRAC), tested the patch to validate that it resolves the vulnerability.

Siemens Fixes Authentication Bypass Hole
Siemens Fixes XSS Vulnerability
PACTware Fixes Exceptional Conditions Hole
Wind River Patches TCP Predictability Hole

All versions of Eaton’s Cooper Power Series Form 6 control and Idea/IdeaPLUS relays with Ethernet with Pro View 4.0 through Pro View 5.0 software suffer from the issue.

An attacker could potentially use this TCP/IP stack vulnerability to enable a man-in-the-middle (MitM) attack against Internet facing products.

Eaton’s Cooper Power Systems division is a U.S.-based company that maintains offices worldwide.

The affected products, Form 6 control and Idea/IdeaPLUS relay protection platforms, see use from power grid operators to apply protection and communications support for overcurrent devices such as reclosers and circuit breakers. According to Eaton’s Cooper Power Systems division, these products see action primarily in the energy sector on a worldwide basis.

As devices receive new connection requests, there is a predictable linear pattern of the initial sequence numbers. An attacker could potentially use this TCP/IP stack vulnerability to predict new device connection requests, possibly enabling a MitM attack. A successful MitM attack could allow the attacker to cause a crash of the system or to execute arbitrary code.

CVE-2014-9196 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.6.

No known public exploits have targeted this vulnerability. In addition, an attacker would require high skill levels to exploit this vulnerability.

No authentication mechanism ended up used for new socket connections to SCADA protocol listening ports on the Form 6 control and Idea/IdeaPLUS relays. The effects of exploiting this vulnerability are the same as the effects of an attacker connecting directly to the control or network and listening for or initiating a new session, without exploiting any vulnerabilities.

This underscores the importance of deploying network segmentation and isolation on the control system network. By ensuring that controls are not accessible from external networks and that appropriate physical security measures end up provided at network access points, risks associated with this vulnerability end up greatly minimized.

Eaton’s Cooper Power Systems recommends asset owners using these products take the proper steps to ensure system wide defense-in-depth strategies, as outlined in Eaton’s whitepaper WP152002EN.

Eaton’s Cooper Power Systems division has developed ProView 5.0 Revision 11 software that mitigates this vulnerability, and the Form 6 control version released on June 12. Idea/IdeaPLUS relay ProView software versions began June 30. ProView 5.0 Revision 11 will be compatible with any hardware and firmware Versions 5.0 and higher. Versions below 5.0 may end up updated with the appropriate and corresponding hardware upgrades. Click here for more information on how to obtain and install these available remedies.

Click here for additional technical information.