This afternoon the DHS ICS-CERT updated the latest single
product advisory for a DNP3 vulnerability reported by Adam Crain and Chris
Sistrunk that was originally
published less than two weeks ago. The updated information explains the vulnerability
differences when the devices is used in two different modes; serial communications
and IP communications modes.
ICS-CERT now separates the improper input validation
vulnerability into two separate vulnerabilities with their own CVE # (IP - CVE-2013-2787;
Serial - CVE-
2013-2818) and different CVSS v2 base scores (IP – 7.1; Serial – 4.7) based
upon the different modes of access. The higher base score for the IP
installation is based upon the fact that the vulnerability is remotely
accessible.
ICS-CERT also notes that the skill level necessary to
exploit the vulnerabilities is different, noting that it takes less skill
(moderate) to exploit the IP based installation as compared to the high skill
level required to exploit the serial based implementation vulnerability. It
appears that they base that distinction solely on the fact that physical
contact with the device is required for a serial exploit.
I’m not sure that I agree with the exploit skill level
assessment. It takes different skills to defeat physical security than to gain
network access, but I’m not sure that I would call it higher skills. There are
certainly more people out there with the ability to penetrate a remote facility
protected by fences and cameras (I can certainly do that as can most
ex-infantry soldiers, gang bangers and B&E specialists to name a few; hell
an 80-year
old nun did it earlier this year at a nuke weapons installation) than can
penetrate network defenses to access to a port on a device.
It seems to me that this is an attempt to understate the
potential threat to electric (gas and water) transmission systems that employ
these devices. There has been a lot of discussion in the cybersecurity press
about the physical vulnerability of these types of devices at remote sites.
Those discussions describe the ease of plugging a device into a serial port and
how uncomplicated TCP packet can be used to put the outstation into an endless
loop. This type of attack would make it impossible to control the control
systems at that outstation until the system was reset.
Other than those concerns, the new updated does more
accurately describe how the vulnerability can be exploited and the different
ways the vulnerability can be exploited based upon how the device is employed.
Posts
1 comment:
Patrick,
Now I'm thoroughly confused.
The title of the advisory "Alstom e-Terracontrol DNP3 Master Improper Input Validation".
The updates say that the Outstation can be sent into an infinite loop and need to be rebooted.
Huge difference in impact between these two. The big impact I talked about in my blog is related to attacks from the substation (outstation), serial or IP, against the Master Station.
The fact that an attacker can compromise a PLC in a substation if they have comms to that PLC is not a big deal. (Unfortunately given the current "insecure by design" state)
Dale Peterson
Digital Bond, Inc.
Post a Comment