Monday, October 21, 2013

ICS-CERT Updates Latest Crain-Sistrunk Advisory

This afternoon the DHS ICS-CERT updated the latest single product advisory for a DNP3 vulnerability reported by Adam Crain and Chris Sistrunk that was originally published less than two weeks ago. The updated information explains the vulnerability differences when the devices is used in two different modes; serial communications and IP communications modes.

ICS-CERT now separates the improper input validation vulnerability into two separate vulnerabilities with their own CVE # (IP -  CVE-2013-2787; Serial - CVE- 2013-2818) and different CVSS v2 base scores (IP – 7.1; Serial – 4.7) based upon the different modes of access. The higher base score for the IP installation is based upon the fact that the vulnerability is remotely accessible.

ICS-CERT also notes that the skill level necessary to exploit the vulnerabilities is different, noting that it takes less skill (moderate) to exploit the IP based installation as compared to the high skill level required to exploit the serial based implementation vulnerability. It appears that they base that distinction solely on the fact that physical contact with the device is required for a serial exploit.

I’m not sure that I agree with the exploit skill level assessment. It takes different skills to defeat physical security than to gain network access, but I’m not sure that I would call it higher skills. There are certainly more people out there with the ability to penetrate a remote facility protected by fences and cameras (I can certainly do that as can most ex-infantry soldiers, gang bangers and B&E specialists to name a few; hell an 80-year old nun did it earlier this year at a nuke weapons installation) than can penetrate network defenses to access to a port on a device.

It seems to me that this is an attempt to understate the potential threat to electric (gas and water) transmission systems that employ these devices. There has been a lot of discussion in the cybersecurity press about the physical vulnerability of these types of devices at remote sites. Those discussions describe the ease of plugging a device into a serial port and how uncomplicated TCP packet can be used to put the outstation into an endless loop. This type of attack would make it impossible to control the control systems at that outstation until the system was reset.

Other than those concerns, the new updated does more accurately describe how the vulnerability can be exploited and the different ways the vulnerability can be exploited based upon how the device is employed.

1 comment:

Anonymous said...


Now I'm thoroughly confused.

The title of the advisory "Alstom e-Terracontrol DNP3 Master Improper Input Validation".

The updates say that the Outstation can be sent into an infinite loop and need to be rebooted.

Huge difference in impact between these two. The big impact I talked about in my blog is related to attacks from the substation (outstation), serial or IP, against the Master Station.

The fact that an attacker can compromise a PLC in a substation if they have comms to that PLC is not a big deal. (Unfortunately given the current "insecure by design" state)

Dale Peterson
Digital Bond, Inc.

/* Use this with templates/template-twocol.html */