Yesterday the DHS ICS-CERT published an advisory [an alert reader noted that this link is now dead, it seems that ICS-CERT has deleted just the original advisory, versions A and B are still available on the ICS-CERT web site. This may get corrected after the federal government funding is restored]for an undisclosed function vulnerability in the Sixnet universal protocol. The vulnerability was identified by Mehdi Sabraoui in a coordinated disclosure. (NOTE: It appears that Mehdi will be discussing Sixnet testing at DerbyCon – Friday, 9-27-13; 3:30).
ICS-CERT reports that a relatively unskilled attacker could use the undocumented codes to remotely execute arbitrary code on the system. The advisory notes that network access is required for exploitation, but the vulnerable systems are designed for remote access.
The advisory notes that Sixnet has developed a new version (4.8) of the RTU firmware (available through customer service) that requires authentication before the newly identified ops codes can be used. There is no indication that Sabraoui has verified the efficacy of the updated firmware. It appears that older versions of the firmware are still available for download on the Sixnet web site.