This afternoon the DHS ICS-CERT published three advisories in control systems from Schneider, Kepware and Software Toolbox.
This advisory describes a buffer overflow vulnerability in the Schneider Invensys SRD Control Valve Positioner. The vulnerability was reported by Ivan Sanchez from Nullcode Team. Schneider has produced a new version of the software that mitigates the vulnerability, but there is no indication that Sanchez has verified the efficacy of the fix.
ICS-CERT reports that a local user is required to load a malformed DLL file before the vulnerability is exploitable. A successful exploit could result in arbitrary code execution. Schneider reports that once the DLL file is loaded the vulnerability is remotely exploitable. They don’t mention anything about loading a ‘malformed DLL file’; it is apparently a DLL file that is part of the software package.
This advisory describes a resource exhaustion vulnerability reported by Crain and Sistrunk (back in December 2013 according to Adam Crain) in the Kepware DNP Master Driver. Kepware has produced a new version that mitigates the vulnerability, though there is no indication that Crain or Sistrunk have verified the efficacy of the fix.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to crash the OPC Server.
The ICS-CERT discussion of the vulnerability appears to imply that a similar vulnerability might be found in other implementations of the DNP3 protocol. It notes that there is a DNP3 Application Note addressing the situation.
This looks like it was one of two remaining unresolved DNP3 vulnerabilities listed on the Project Robus website.
Software Toolbox Advisory
This advisory is a near duplicate of the Kepware advisory discussed above except that it involves the Software Toolbox Top Server. If this is, in fact, the second unresolved DNP3 vulnerability listed on the Project Robus site, I kind of suspect that these two vendors may be the only two with this specific implementation issue. Crain-Sistrunk would have looked for this in other implementations; they are kind of thorough that way.