Nano-10 PLC Denial of Service

Tuesday, July 9, 2013 @ 03:07 PM gHale


Tri Inc. produced a firmware upgrade to fix the improper input validation vulnerability in its Nano 10 programmable logic controller (PLC), according to a report on ICS-CERT.

Researcher Jon Christmas of Solera Networks, who found the remotely exploitable vulnerability, tested the upgrade to validate it resolves the vulnerability.

All Tri Inc. Nano-10 PLC firmware versions prior to r81 suffer from the issue.

RELATED STORIES
Emergency Alert System Flaw
Alstom Grid S1 Vulnerability
Siemens Scalance Holes Filled
Mitigation for Siemens WinCC Woes

An attacker could send a specially crafted packet to the PLC and cause a denial-of-service (DoS) condition. Exploitation of this vulnerability could cause the device to become inaccessible from the network and only recover with a manual power cycling of the device. This situation affects the availability of the system.

British Columbia, Canada-based Tri Inc. has another main office in Delaware in the U.S.

The affected product, Nano-10 PLC, is a controller typically used with automated manufacturing equipment such as packaging machines, dispensing machines, and pump controls. According to Tri Inc., the Nano-10 works across several industries including agriculture and food, building automation, transportation systems, water and wastewater, energy, as well as with elevator, and HVAC systems. Tri Inc. estimates distribution of the product is 60 percent in the United States, 10 percent in Canada, 5 percent in Australia, 10 percent in Singapore, 10 percent in South Korea, and 5 percent in the rest of the world.

The Nano-10 PLC has a gap in its bounds checking algorithm for incoming Modbus/TCP packets. By sending a specially crafted packet to Port TCP/502 of the PLC, an attacker could create a DoS condition that would cause the device to become inaccessible from the network and is only recoverable with a manual reboot.

CVE-2013-2784 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

This vulnerability could fall victim of a remote attack if the firewall has Port TCP/502 open, allowing packets to pass through to the PLC.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill level would be able to exploit this vulnerability.

Tri Inc. said the Nano-10 PLC’s operating system firmware itself is not field upgradable, and therefore, they suggest users contact Tri Inc. to coordinate sending in affected Nano-10 PLCs for vendor firmware upgrading to resolve the vulnerability.



Leave a Reply

You must be logged in to post a comment.