2013-08-29

Triangle MicroWorks created an update that mitigates an improper input validation vulnerability in multiple products and third party components, according to a report on ICS-CERT.

Adam Crain of Automatak and independent researcher Chris Sistrunk discovered the vulnerability and Adam Crain tested the update to validate that it resolves the vulnerability.

RELATED STORIES
Schneider Radio Encryption Bug
Top Server OPC Vulnerability
Siemens Patches COMOS Hole
Sixnet Creates Universal Protocol Version

The following Triangle MicroWorks products suffer from the issue:

• SCADA Data Gateway, v2.50.0309 through v3.00.0616

• DNP3 .NET Protocol components, v3.06.0.171 through v3.15.0.369

• DNP3 ANSI C source code libraries, v3.06.0000 through v3.15.0000

The outstation can go into an infinite loop by sending a specially crafted TCP packet from the master station on an IP-based network. If the device connects via a serial connection, the same attack can result with physical access to the master station. The device must shut down and restart to reset the loop state.

The affected Triangle MicroWorks products are stand-alone or are third-party components, which communicate to outstation/slave devices using various transmission protocols (e.g., OPC Client, IEC 60870-6 (TASE.2/ICCP) Client, IEC 60870-5, DNP3, and/or Modbus).

According to Raleigh, NC-based Triangle MicroWorks, the products deploy across several sectors including electric utilities, transportation systems, water, and government facilities. Triangle MicroWorks estimates these products see use primarily in the United States and Europe/Asia with a small percentage in South America and Australia/New Zealand.

As this vulnerability affects Internet Protocol-connected and Serial-connected devices, there are two CVSS scores.

The Triangle MicroWorks software incorrectly validates input. An attacker could cause the software to go into an infinite loop with a specifically crafted TCP packet, causing the process to crash. The system must manually restart to clear the condition.

The following scoring is for IP-connected devices. CVE- 2013-2793 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

The following scoring is for serial-connected devices. CVE- 2013-2794 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.

The IP-based vulnerability could suffer remote exploitation, while the serial-based vulnerability is not remotely exploitable. There must be local access to the serial-based outstation is required.

No known public exploits specifically target this vulnerability. An attacker with a moderate skill level could craft an IP packet that would be able to exploit this vulnerability for an IP-based device. An attacker with a high skill level could exploit the serial-based vulnerability because there must be some physical access to the device or some amount of social engineering.

Triangle MicroWorks produced an update and release notes describing the mitigation. Contact Triangle MicroWorks Support for details on specific platform updates.

Click here for release notes.

Show more