SEL Fixes Improper Input Validation

Thursday, August 8, 2013 @ 05:08 PM gHale


Schweitzer Engineering Laboratories (SEL) updated its firmware that mitigates the improper DNP3 input validation in the company’s real-time automation controllers (RTAC), according to a report on ICS-CERT.

Adam Crain of Automatak and independent researcher Chris Sistrunk, who found the remotely exploitable vulnerability, tested this version to validate that it resolves the vulnerability.

RELATED STORIES
Det-Tronics Gas Leak Detector Certified
Moore Gains Safety Certification
New CFSE Endorsement Program
New Forensics Certification Program

The following SEL products suffer from the issue:
• SEL-3530-R100 -V0-Z001001-D20090915 through SEL-3530- SEL-3530-R123-V0-Z002001
• SEL-3530-4-R107-V0-Z001001-D20100818 through SEL-3530-4-R123-V0-Z002001-D20130117
• SEL-3505-R119-V0-Z001001-D20120720 through SEL-3505-R123-V0-Z002001-D20130117
• SEL-2241-R113-V0-Z001001-D20110721 through SEL-2241-R123-V0-Z002001-D20130117

The RTAC master device can go into an infinite loop by sending a specially crafted TCP packet from the master station on an IP-based network. If the device connects via a serial connection, the same attack can work with physical access to the master station. In certain conditions the DNP3 driver will automatically restart and resume communications. Under more severe conditions the device ALARM contact will assert indicating a problem and the device configuration settings must reload.

SEL is a U.S.-based company that maintains offices in the United States and around the world.

The affected products are RTACs designed for industrial environments. These devices mostly see use in the electric utilities subsector of the energy sector. SEL estimates these products primarily see action in North America and Europe with a small percentage in Asia.

As this vulnerability affects Internet Protocol-connected and serial-connected devices, two CVSS scores have been calculated.

The SEL RTAC master does not validate or incorrectly validates input. An attacker could cause the software to go into an infinite loop, causing the process to crash. In certain conditions the DNP3 driver will automatically restart and resume communications. Under more severe conditions the device ALARM contact will assert indicating a problem and the device configuration settings must reload.

The following scoring is for IP-connected devices.

CVE-2013-2792 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

The following scoring is for serial-connected devices.

CVE- 2013-2798 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.

As mentioned, the IP-based vulnerability is remotely exploitable, however, the serial-based vulnerability is not. Local access to the serial-based outstation is required.

No known public exploits specifically target these vulnerabilities and an attacker with a moderate skill level could craft an IP packet that would be able to exploit this vulnerability for an IP-based device.

An attacker with a high skill level could exploit serial-based vulnerability as physical access to the device or some amount of social engineering is required.

SEL recommends that customers affected by this issue should contact their SEL sales representative or customer service representative to obtain a free firmware upgrade CD-ROM packet, including upgrade instructions.

In addition, the researchers suggest the following mitigations:
• Block DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DPN3-specific rule sets.



Leave a Reply

You must be logged in to post a comment.