SUBNET Hot Fix for Vulnerability

Monday, August 4, 2014 @ 03:08 PM gHale

SUBNET Solutions Inc. created a hot fix that mitigates a buffer overflow vulnerability in its SubSTATION Server 2, Telegyr 8979 Master application, according to a report on ICS-CERT.

Researchers Adam Crain of Automatak and Chris Sistrunk of Mandiant, who discovered the remotely exploitable hole, tested the new hot fix and validated it resolves the vulnerability.

Innominate Patches mGuard Hole
Siemens Patches SIMATIC WinCC Holes
Morpho Passes on Patching Hole
Honeywell Mitigates Web Controller Holes

All versions of the SubSTATION Server 2 Telegyr 8979 Master Protocol suffer from the issue.

By sending specially crafted invalid RTU messages to the Telegyr 8979 master, a buffer overflow can occur, resulting in a denial of service (DoS).

Calgary, Alberta, Canada-based SUBNET’s SubSTATION Server, is a vendor agnostic multifunction software application used in intelligent substation automation and IT networking.

SubSTATION Server performs data concentration, protocol translation, automation logic, event file collection, and enterprise connectivity. This allows replacement of separate legacy devices, such as RTU data concentrators, relay communications processors used in the operation of electrical substations. SubSTATION Server sees action in the energy sector, including oil and gas and electric utilities. SUBNET said these products see use primarily in the United States and Canada.

The researchers found by sending a specially crafted packet simulating an RTU to Master message exceeding allowable data length, an attacker can cause the Telegyr 8979 Master to crash. SUBNET also discovered after sending a specially crafted message containing a valid data length, any subsequent message sent immediately to the Telegyr 8979 will also crash the service. SUBNET also determined the root issue was in the GPT software library.

CVE-2014-2357 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.

No known public exploits specifically target these vulnerabilities. Crafting a working exploit for these vulnerabilities would be difficult. An attacker with a moderate to high skill level would be able to exploit these vulnerabilities.

SUBNET created a hot fix “SSNET v2.12 HF18808” to resolve this issue.

A user can obtain the hot fix via secure FTP provided by the SUBNET support department. Please contact SUBNET Customer Support at: (403) 270-8885, or by email and reference SUBNET Release Bulletin “SubSTATION Server 2.12 HF18808 Release, 21 May 2014.”

Vendor Recommendation:
• The exploit results in an unrecoverable exception, but all software components end up registered as Services under Windows and the user can configure them to automatically restart after any stoppage. Users can configure the service to automatically restart, which limits the DoS to a momentary disruption.
• Backward compatible releases will be available by request for customers using older versions of SubSTATION Server.

Leave a Reply

You must be logged in to post a comment.