IOServer Fixes Resource Exhaustion Flaw

Friday, October 17, 2014 @ 03:10 PM gHale


IOServer has produced a new version that mitigates an out of bound read vulnerability in the IOServer application, according to a report on ICS-CERT.

Adam Crain of Automatak, who discovered the vulnerability along with Chris Sistrunk of Mandiant, tested the new version to validate it resolves the remotely exploitable vulnerability.

RELATED STORIES
Fox-IT Fixes DataDiode Vulnerability
CareFusion Mitigates Vulnerabilities
Siemens Heartbleed Update, Again
Unified Automation Heartbleed Vulnerability

IOServer Version 1.0.20 and older suffers from the issue.

An attacker who exploits this out of bound read vulnerability may be able to crash the OPC Server application software running on the target system.

IOServer is a Sydney, Australia-based company.

The affected product, IOServer, is a Windows-based OPC Server that allows OPC clients, such as human-machine interface and supervisory control and data acquisition systems, to exchange plant floor data with programmable logic circuits. The Windows products include: NT/95/98/ME/2000/2003/XP/2008/7.

The affected product works across multiple sectors including critical manufacturing, water and wastewater systems, energy, and others, said IOServer officials.

A vague interpretation of the DNP3 protocol may allow a null header to cause an out of bound read command to create large numbers of entries in the master in some implementations. This is not a universal problem for all DNP3 users, vendors or integrators, but it may occur.

CVE-2014-5425 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.

No known public exploits specifically target this vulnerability. An attacker with a moderate skill would be able to exploit this vulnerability.

DNP3 Application Note AN2013-004b Validation of Incoming DNP3 Data, published August 13, 2014, addresses this issue. Click here to download this bulletin.

IOServer created a new version that mitigates the vulnerability. Click here to download the new version, Beta2112.exe.

Remote devices should not return a variation of 0 to a master, and a master that encounters a zero length message from a remote should stop processing that message.



Leave a Reply

You must be logged in to post a comment.