OSIsoft Mitigates Hole in DNP3 Line

Wednesday, April 9, 2014 @ 05:04 PM gHale


OSIsoft created an update that mitigates the improper input validation vulnerability in the OSIsoft PI Interface for DNP3 product, according to a report on ICS-CERT.

Adam Crain of Automatak and Chris Sistrunk, Sr. Consultant for Mandiant discovered the vulnerability. OSIsoft and Automatak tested the new version to validate that it resolves the remotely exploitable vulnerability.

RELATED STORIES
WellinTech Corrects KingSCADA Hole
Siemens Beats the BEAST
Advantech Fixes WebAccess Vulnerabilities
Schneider Patches OPC Buffer Overflow

All versions of the OSIsoft PI Interface for DNP3 prior to Version 3.1.2.54 suffer from the issue.

The OSIsoft PI Interface for DNP3 (master station) can experience a denial-of-service (DoS) condition when it receives a specially crafted DNP3 response message from the outstation/slave on an IP-based network resulting in an unexpected shutdown of the interface. If the device ends up connected via a serial connection, the same attack can occur with physical access to the outstation. The PI Interface for DNP3 must restart manually to clear the condition.

OSIsoft is a U.S.-based company that maintains its headquarters in San Leandro, CA, with operations globally.

The affected product, PI Interface for DNP3, collects information from DNP3 compliant outstations. According to OSIsoft, PI Interface for DNP3 deploy across electric and water utilities. OSIsoft estimates these products see use primarily in North America with a small percentage in Asia and Europe.

As this vulnerability affects Internet Protocol-connected and serial-connected devices, there are two CVSS scores.

The OSISoft PI Interface DNP Master Driver does not properly validate input. An attacker could cause the PI Interface for DNP3 to shut down unexpectedly with a specifically crafted TCP packet requiring a manual restart to clear the condition.

The following scoring is for IP-connected devices: CVE-2013-2809 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

The OSISoft PI Interface DNP Master Driver does not properly validate input. An attacker could cause the PI Interface for DNP3 to shut down unexpectedly requiring a manual restart to clear the condition.

The following scoring is for serial-connected devices: CVE-2013-2828 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.

The serial-based vulnerability is not exploitable remotely. There must be local access to the serial-based outstation.

No known public exploits specifically target this vulnerability. However, an attacker with a moderate skill could craft an IP packet that would be able to exploit the vulnerability for an IP-based device.

An attacker with a high skill could exploit the serial-based vulnerability because physical access to the device or there needs to be some amount of social engineering.

OSIsoft has produced a software update that resolves these vulnerabilities. OSIsoft encourages users to upgrade to Version 3.1.2.54 or later. Click here for the software update on the OSIsoft technical support web site.

The researchers suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an Intrusion Prevention System or firewall with DNP3-specific rule sets to add an additional layer of protection.



Leave a Reply

You must be logged in to post a comment.