Tuesday, February 11, 2014

ICS-CERT Publishes 2nd Crain-Sistrunk Advisory for MatriconOPC

This afternoon the DHS ICS-CERT published an advisory for MatriconOPC for an improper input validation vulnerability reported by Crain-Sistrunk in a coordinated disclosure. This is the second Crain-Sistrunk vulnerability reported in this service. ICS-CERT notes that MatriconOPC has produced a patch which have been evaluated for efficacy by Adam Crain and has been found to resolve the vulnerability.

The Vulnerability

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to cause a denial of service (DoS) loop in the MatriconOPC server (master station). It doesn’t look like this is your father’s DoS attack though:

“This only happens after the server (master station) successfully connects to a device (outstation) that returns a malformed DNP3 packet. The process never recovers and cannot be shut down. The Windows operating system on the master station would have to be rebooted to reestablish communications. After the service has been put in a DoS condition, the configuration tool experiences a read access violation on further reboots.”

This sounds like a DoS that lasts until a service technician arrives on scene to replace the MatriconOPC server.

MatriconOPC Support??

The advisory states that you can get the MatriconOPC Security Notification for this vulnerability from the MatriconOPC Support Center (Follow the link, Click on ‘Product Advisory’ and then Click on the Security Notification. Unfortunately there is no Security Notification for this vulnerability; two for the earlier Dillon Beresford advisory and the one for the earlier Crain-Sistrunk advisory, but none for this advisory.

Another TMW Derived Advisory

Adam Crain added this little tidbit of information about this vulnerability today in a Tweet®:

@jadamcrain @ICSCERT @SCADAhacker Unsafe API design from TMW library results in yet another integration vulnerability.

Adam is referring to the Triangle MicroWorks advisory from last summer (another Crain-Sistrunk DNP3 advisory) that included problems with the DNP3 ANSI C source code libraries, v3.06.0000 through v3.15.0000 that got passed on to whom ever had used vulnerable items from that library.

This means that the particular Crain-Sistrunk DNP3 vulnerability could exist in other vendor products; potentially allowing other products to be semi-permanently shut down with this cute little DoS attack vector. NOTE: I apparently misinterpreted what Adam was saying in his TWEET. See his comment below. [Added 10:30 pm CST]

BTW: This little fact was missed by the ICS-CERT Advisory.

Project Robus Update

I have to confess usually I only get to the Automatak Project Robus site when there is a Crain-Sistrunk advisory published. They are now up to 28 coordinated disclosures on DNP3 vulnerabilities (and this is the 17th to be published by ICS-CERT) and 1 Modbus TCP vulnerability that we can expectantly wait to see who next falls to the mythical Automatak Fuzzer.

1 comment:

Adam Crain said...

This one is actually unrelated to the TMW advisory on the outstation.

I was referring to the fact that we have seen many crashes in products that use the TMW master library. The frames that cause the crashes should never leave a stack as they are malformed or contain invalid function/object combinations.

Thanks for the coverge.

/* Use this with templates/template-twocol.html */