This afternoon the DHS ICS-CERT updated the latest single product advisory for a DNP3 vulnerability reported by Adam Crain and Chris Sistrunk that was originally published less than two weeks ago. The updated information explains the vulnerability differences when the devices is used in two different modes; serial communications and IP communications modes.
ICS-CERT now separates the improper input validation vulnerability into two separate vulnerabilities with their own CVE # (IP - CVE-2013-2787; Serial - CVE- 2013-2818) and different CVSS v2 base scores (IP – 7.1; Serial – 4.7) based upon the different modes of access. The higher base score for the IP installation is based upon the fact that the vulnerability is remotely accessible.
ICS-CERT also notes that the skill level necessary to exploit the vulnerabilities is different, noting that it takes less skill (moderate) to exploit the IP based installation as compared to the high skill level required to exploit the serial based implementation vulnerability. It appears that they base that distinction solely on the fact that physical contact with the device is required for a serial exploit.
I’m not sure that I agree with the exploit skill level assessment. It takes different skills to defeat physical security than to gain network access, but I’m not sure that I would call it higher skills. There are certainly more people out there with the ability to penetrate a remote facility protected by fences and cameras (I can certainly do that as can most ex-infantry soldiers, gang bangers and B&E specialists to name a few; hell an 80-year old nun did it earlier this year at a nuke weapons installation) than can penetrate network defenses to access to a port on a device.
It seems to me that this is an attempt to understate the potential threat to electric (gas and water) transmission systems that employ these devices. There has been a lot of discussion in the cybersecurity press about the physical vulnerability of these types of devices at remote sites. Those discussions describe the ease of plugging a device into a serial port and how uncomplicated TCP packet can be used to put the outstation into an endless loop. This type of attack would make it impossible to control the control systems at that outstation until the system was reset.
Other than those concerns, the new updated does more accurately describe how the vulnerability can be exploited and the different ways the vulnerability can be exploited based upon how the device is employed.