Today the DHS ICS-CERT published an advisory for an improper input validation vulnerability in the Kepware Technologies DNP Master Driver. The vulnerability was reported by Adam Crain and Chris Sistrunk in a coordinated disclosure.
ICS-CERT reports that a moderately skilled attacker could exploit this vulnerability to conduct a denial of service attack or possibly execute arbitrary code on the system. Kepware has produced an updated version of the software that has been validated by Crain and Sistrunk.
The Project Robus page now shows four DNP3 related ICS-CERT advisories published that were based upon work by Adam and Chris with 15 advisories ‘pending’. Based upon Adam’s work on the open source implementation of DNP3 that I discussed yesterday, I would bet that a number of the ‘pending’ advisories will also deal with DNP3 vulnerabilities. It might behoove vendors that utilize the DNP protocol to start taking a hard look at their potential vulnerabilities.