MatrikonOPC Mitigates Vulnerability

Monday, December 1, 2014 @ 01:12 PM gHale

MatrikonOPC created a new version that mitigates an unhandled C++ exception in its DNP3 application, according to a report on ICS-CERT.

Adam Crain of Automatak and Chris Sistrunk of Mandiant discovered the remotely exploitable vulnerability.

Siemens Mitigates Critical Vulnerabilities
Advantech Deals with Multiple Vulnerabilities
Rockwell Mitigates ActiveX Vulnerabilities
ABB Fixes Dll Hijack Vulnerability

MatrikonOPC Server for DNP3 Version suffers from the issue.

An attacker could potentially use this vulnerability to craft an exploit to cause a denial-of-service (DoS) loop in the MatrikonOPC Server for DNP3 Windows service. Consequences of a successful exploit would result in a disruption of OPC data until the user manually restarts the OPC Server.

MatrikonOPC is an Edmonton, Canada-based company that maintains offices in several countries around the world, including the United States, Germany, Russia, Australia, Singapore, Norway, Brazil, UK, India, Spain, Portugal, and Costa Rica.

The affected product, MatrikonOPC Server for DNP3, is Microsoft Windows-based software that facilitates connectivity to multiple DNP3 compliant devices such as remote terminal units, programmable logic controllers, and meters. MatrikonOPC Server for DNP3 sees action across several sectors including the chemical and energy industries. MatrikonOPC products see use primarily in the U.S., Canada, and UK.

An unhandled C++ exception occurs upon receiving a specifically formatted message. The DNP3 process within Windows service crashes, and the service cannot end up stopped via services dialog. Restoration of service requires a system reboot.

CVE-2014-5426 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.8.

No known public exploits specifically target this vulnerability. However, an attacker with a moderate skill would be able to exploit this vulnerability.

MatrikonOPC recommends that asset owners obtain and install the new version as follows:
• Visit the support site
• Click on the Product Advisory section, and read the posted security notification “Security Notification OPC Server for SCADA DNP3 SN 2014-10-14-01”
• Contact OPC Support to obtain the new version of the OPC server for DNP3
• Install the new version of the OPC Server for DNP3

The researchers suggest the following mitigation: Block DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DPN3-specific rule sets.

Leave a Reply

You must be logged in to post a comment.