NovaTech DNP3 Vulnerability

Thursday, December 19, 2013 @ 04:12 PM gHale

The series of DNP3 vulnerabilities continues with Lenexa, KS-based NovaTech creating a firmware update that mitigates an improper input validation vulnerability in its Orion Substation Automation Platform, according to a report on ICS-CERT.

Adam Crain of Automatak and independent researcher Chris Sistrunk, who found the vulnerability, tested the firmware update to validate that it resolves the remotely exploitable vulnerability.

RELATED STORIES
Siemens COMOS Privilege Escalation
Cooper Ends Server after Finding Bug
Cooper Power Fixes SMP Gateway Bug
RuggedCom Vulnerabilities Patched

The following Orion versions suffer from the issue:
• OrionLX DNP Master v1.27.38 and DNP Slave V1.23.10 and earlier (included in firmware releases 7.6 and earlier), and
• Orion5/Orion5r DNP Master V1.27.38 and DNP Slave V1.23.10 and earlier.

By sending a specially crafted command from either Internet Protocol (IP) or serial connection, the command causes the Orion Process to restart. This applies to the IP Master/Client and the serial Slave/Server implementation.

The Orion Substation Automation Platform, is a SCADA RTU system using the DNP3 protocol. According to NovaTech, the Orion deploys across several sectors, but primarily in energy in the United States.

As this vulnerability affects Internet protocol-connected and serial-connected devices, there are two CVSS scores.

The NovaTech Orion DNP Products Master Driver does not validate input correctly. A specially crafted IP-based packet can cause the Orion Process in the OrionLX to restart. The sequence of effects caused by this packet is the running DNP driver crashes, the Alarm LED/contact asserts, and the Orion process restarts.

The following scoring is for IP-connected devices: CVE-2013-2821 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

A specially crafted packet can go out via serial connection that causes the Orion Process in the OrionLX to restart. The sequence of effects caused by this packet is the running DNP driver crashes, the Alarm LED/contact asserts, and the Orion process restarts.

The following scoring is for serial-connected devices. CVE-2013-2822 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.

While the IP-based vulnerability could suffer remotely, the serial-based vulnerability cannot. There must be local access to the serial-connected outstation.

While no known public exploits specifically target this vulnerability, an attacker with a moderate skill level could craft an IP packet that could exploit the vulnerability for an IP-based device.

An attacker with a high skill could exploit the serial-based vulnerability because there must either be physical access to the device or some amount of social engineering.

NovaTech has produced a firmware update that is available for download from the NovaTech Orion Support Site (to gain access, the user must register).

The researchers suggest the following mitigations: Block DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DNP3-specific rule sets.



Leave a Reply

You must be logged in to post a comment.