MatrikonOPC Patches Vulnerabilities

Monday, April 29, 2013 @ 08:04 PM gHale

MatrikonOPC produced patches that mitigate the vulnerabilities in two of its products, the MatrikonOPC A&E Historian and MatrikonOPC Security Gateway, according to a report on ICS-CERT.

Researcher Dillon Beresford of Cimation, who found the holes, tested the patches to validate that they resolve the remotely exploitable vulnerabilities.

Bugs in Galil Compact PLC
Schneider Mitigates Software Vulnerability
Canary Labs Patches Vulnerability
Rockwell Patches Security Bugs

The following MatrikonOPC A&E Historian and MatrikonOPC Security Gateway versions suffer from the issue:
• MatrikonOPC A&E Historian Version, and
• MatrikonOPC Security Gateway Version 1.0.

By sending a specially crafted packet to Port 8543/TCP when the Health Monitor service is running, an attacker can exploit a directory traversal vulnerability and read any file on the server running the Historian Health Monitor service. When an attacker accesses a file on the affected system using this directory traversal mechanism, the file may end up deleted by the MatrikonOPC software. MatrikonOPC has notified all affected customers.

The vulnerability that affects MatrikonOPC Security Gateway can cause a temporary denial of service by crashing a utility provided with, and used for configuration of, the OPC Security Gateway with an unhandled exception. This works by sending a reset command to Port 30544/TCP while the connection is active. Although this vulnerability can suffer a remote exploitation, the potential impact is relatively low. No arbitrary code exploit is possible, and the OPC Security Gateway continues to function.

MatrikonOPC is a U.S.-based company whose products serve the oil and gas, mining, power and utilities, petrochemical, and other industries. MatrikonOPC products see use in the U.S., Canada, and UK.

The first affected product, MatrikonOPC A&E Historian, records alarms and events that occur within an ICS OPC network. The MatrikonOPC A&E Historian includes a Health Monitor service that allows the user to monitor the health and performance of the Historian’s Web server and servlets.

The second affected product, the MatrikonOPC Security Gateway provides a link between an ICS OPC network and external networks to provide traffic isolation and enforce security policies. This product works in OPC network applications and sees use mainly in the U.S., Canada, and the UK.

The MatrikonOPC A&E Historian incorporates a Health Monitor service that publishes a Web interface to allow users to monitor control components and activities on the ICS network. This Web interface has a vulnerability where a user can access system files by modifying the URL in a browser.

CVE-2013-0673 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.4.

A valid TCP/IP reset packet (RST) sent to Port 30544/TCP causes the configuration utility to crash with an unhandled exception. CVE-2013-0666 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities, if the devices end up exposed to the Internet.

MatrikonOPC produced patches that mitigate these vulnerabilities. A user can download and install the patches using the following process:
1. Log into MatrikonOPC’s support portal
2. Select the Online Support tab.
3. Scroll down to the Product Advisory topic.
4. Click on Security Notification for A&E Historian or Security Gateway.
5. Read the vendor advisory and download the patch using the patch link.
6. Run the patch installer on the computer running the affected software product.

Leave a Reply

You must be logged in to post a comment.