Schneider Patches DNP3 Vulnerability

Monday, February 3, 2014 @ 02:02 PM gHale


Schneider Electric produced a patch that mitigates an improper input validation in the Telvent SAGE 3030 remote terminal unit (RTU), according to a report on ICS-CERT.

The following Schneider Electric versions suffer from the remotely exploitable vulnerability:
• All versions released prior to December 1, 2013,
• Telvent SAGE 3030 C3413-500-001D3_P4 (Firmware from 2010), and
• Telvent SAGE 3030 C3413-500-001F0_PB (Latest Firmware).

RELATED STORIES
GE Proficy Vulnerabilities
S4 Report: Ecava Vulnerability
WellinTech Fixes Two Vulnerabilities
Schneider Fixes ClearSCADA Vulnerability

Successful exploitation of this vulnerability, discovered by Adam Crain of Automatak and independent researcher Chris Sistrunk, could allow an attacker to affect the availability of the DNP3 master-slave communication in Telvent SAGE 3030 devices.

Schneider Electric is a European-based company that maintains offices in 190 countries worldwide.

The affected products, Telvent SAGE 3030 RTUs, are industrial data communications devices. These products end up deployed across several sectors including the energy sector, according to Schneider Electric, which also said these products see use primarily in the United States and North America.

The DNP3 service in Telvent SAGE RTUs incorrectly validates some malformed input. Successful exploitation of this vulnerability disables communications and induces high system load for a short period of time (as in a denial-of-service attack).

CVE-2013-6143 is the case number for this vulnerability, which has a CVSS v2 base score of 4.3.

No known public exploits specifically target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.

As mentioned, Schneider created a patch to mitigate this vulnerability on the C3414 LX-800-based RTUs using latest VX-works 6.9.3 OS. Customers may obtain this patch by contacting the Schneider Electric Customer Service Department at 713-920-6832.

For further information, please find a description and release notes in the Schneider Electric RTU Software Security Bulletin number RTUSW 13001 “Schneider Electric Telvent SAGE RTU DNP3 Improper Input Validation” published December 30, 2013.

Because this vulnerability is identifiable with fuzzing tools, the researchers suggest developers use extensive negative testing during quality control of products. The researchers also suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DNP3-specific rule sets.



Leave a Reply

You must be logged in to post a comment.