This afternoon the DHS ISC-CERT published to control system security advisories. One was a Crain-Sistrunk DNP3 vulnerability on Televen RTUs and the second was a NULL pointer dereference vulnerability in the 3S CoDeSys Runtime Toolkit. Both were coordinated disclosures.
Schneider DNP3 Advisory
The DNP3 vulnerability was a standard improper input validation vulnerability. According to the Robus web site, this is number 16 of now 28 (they have recently updated the total number) coordinated disclosures that Crain and Sistrunk have made based upon their proprietary fuzzer technology; still 12 more DNP3 vendors to go.
This advisory was originally posted on the CERT secure portal back on January 6th and it was disclosed on the Schneider Electric web site on December 30th. Schneider has produced a patch to mitigate the single vulnerability (based upon the CVSS v2 score it is probably the serial version of the vulnerability). There is no mention in the Advisory if Crain-Sistrunk were given a chance to validate the patch.
According to ICS-CERT a relatively low skilled attacker could remotely exploit this vulnerability to execute a denial of service attack.
The internal Schneider version of the advisory (.PDF Download) Schneider did more than just fix this vulnerability in the firmware update. They note that:
“In addition to better checking DNP3 input for malformed packets, the J0 firmware includes features for encryption, authentication, improved logging and DNP3 connection port validation.”
This advisory identifies a vulnerability reported by Nicholas Miles. 3S has developed an update that corrects the vulnerability and Miles has reported that it effectively mitigates the problem.
ICS-CERT report that a moderately skilled attacker could remotely exploit this vulnerability to cause a system crash within the Runtime Toolkit appliecation.
ICS-CERT provide a URL for the CoDeSys download page, but I don’t actually see this update unless it is the SP3 Patch 9 that was released last week (1-24-14), but it sure doesn’t look like it from the details provided.
There have been a couple of TWITTER notices by Joel Langill (@SCADAHacker) about ICS vulnerabilities that have not yet been noticed by ICS-CERT:
@SCADAhacker #ICS Vuln Alert: Emerson Network Power Avocent MergePoint Unity 2016 KVM Directory Traversal Vulnerability http://h4ckr.us/1jDnLt4