MatrikonOPC Patches Vulnerability

Wednesday, February 12, 2014 @ 11:02 PM gHale

MatrikonOPC created a patch that mitigates the improper input validation vulnerability in the MatrikonOPC SCADA DNP3 OPC Server application, according to a report on ICS-CERT.

Researchers Adam Crain of Automatak and independent researcher Chris Sistrunk, who discovered the vulnerability, tested the patch to validate it resolves the remotely exploitable vulnerability.

Siemens Fixes SIMATIC Vulnerabilities
RSLogix 5000 Password Hole Fixed
3S Fixes CoDeSys Runtime Toolkit Hole
Schneider Patches DNP3 Vulnerability

MatrikonOPC SCADA DNP3 OPC Server versions older than Version suffer from the issue.

An attacker could potentially use this vulnerability to craft an exploit to cause a denial-of-service (DoS) loop in the MatrikonOPC Server for DNP3 Windows service. This requires a reboot of the system to restart DNP3 communications. After the service falls into the DoS condition, the configuration tool experiences a read access violation.

MatrikonOPC is an Edmonton, Canada-based company that maintains offices in several countries around the world, including the United States, Canada, Germany, Russia, Australia, Singapore, Norway, Brazil, UK, India, Spain, Portugal, and Costa Rica.

The affected product, SCADA DNP3 OPC Server, is Microsoft Windows-based software that facilitates connectivity to multiple DNP3 compliant devices such as remote terminal units, programmable logic circuits, and meters. The SCADA DNP3 OPC Server deploys across several sectors including chemical and energy. MatrikonOPC products are used primarily in the US, Canada, and UK, according to MatrikonOPC.

The susceptible versions of MatrikonOPC contain a specific vulnerability that may cause the server to exit and communications to stop. This only happens after the server (master station) successfully connects to a device (outstation) that returns a malformed DNP3 packet. The process never recovers and cannot shut down. The Windows operating system on the master station would have to reboot to reestablish communications. After the service falls into a DoS condition, the configuration tool experiences a read access violation on further reboots.

CVE-2013-2829 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

No known public exploits specifically target this vulnerability. An attacker with a moderate skill would be able to exploit this vulnerability.

MatrikonOPC recommends customers obtain and install the patch.

Click on the Product Advisory section, and read the posted security notification.

Contact OPC Support to obtain the new version of the OPC server for DNP3. Install the new version of the OPC Server for DNP3.

The researchers suggest the following mitigation: Block DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DPN3-specific rule sets.

Leave a Reply

You must be logged in to post a comment.