This afternoon the DHS ICS-CERT published an advisory for an improper Ethernet frame padding vulnerability in the Schneider Electric Telvent SAGE 2300 and 2400 remote terminal units (RTUs). The vulnerability was reported by David Formby and Raheem Beyah of Georgia Tech. A previously released software version mitigates the vulnerability. The researchers have validated the efficacy of the current software to fix the vulnerability.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to read the leaked packet data.
This is the same ‘IEEE conformance issue’ that this research team has reported in systems from other two suppliers (here and here). Interestingly the most recent other example (first one listed here) included an early release of the advisory on the US CERT Secure Portal, even though as in this case, the vulnerability had been corrected in a previously released version of the software.
GPS Timing Issue
While looking at the Schneider web site for information on this vulnerability (I did not find any) I came across a very interesting notice about a GPS timing issue that had been identified (no attribution of identification was provided) in the Trimble GPS card. Those cards are now reporting dates with year 1996 instead of 2016 and have been since February 14th, 2013 because of an error in the firmware. I suppose that system owners that actually use those affected 0x41 and 0x8F-20 messages will have already noticed this problem. According to Trimble (.PDF download) they are not able to update the firmware to correct this problem, so it has to be corrected in the software/firmware that uses the reported data. The Schneider notice reports that they have updated the firmware for their C3413 and C3414 CPU Cards.