This afternoon the DHS ICS-CERT published three advisories
in control systems from Schneider, Kepware and Software Toolbox.
Schneider Advisory
This advisory
describes a buffer overflow vulnerability in the Schneider Invensys SRD Control
Valve Positioner. The vulnerability was reported by Ivan Sanchez from Nullcode
Team. Schneider has produced a new version of the software that mitigates the
vulnerability, but there is no indication that Sanchez has verified the
efficacy of the fix.
ICS-CERT reports that a local user is required to load a
malformed DLL file before the vulnerability is exploitable. A successful
exploit could result in arbitrary code execution. Schneider reports
that once the DLL file is loaded the vulnerability is remotely exploitable.
They don’t mention anything about loading a ‘malformed DLL file’; it is
apparently a DLL file that is part of the software package.
Kepware Advisory
This advisory
describes a resource exhaustion vulnerability reported by Crain and Sistrunk
(back in December 2013 according to
Adam Crain) in the Kepware DNP Master Driver. Kepware has produced a new
version that mitigates the vulnerability, though there is no indication that
Crain or Sistrunk have verified the efficacy of the fix.
ICS-CERT reports that a moderately skilled attacker could
remotely exploit this vulnerability to crash the OPC Server.
The ICS-CERT discussion of the vulnerability appears to
imply that a similar vulnerability might be found in other implementations of
the DNP3 protocol. It notes that there is a DNP3
Application Note addressing the situation.
This looks like it was one of two remaining unresolved DNP3
vulnerabilities listed on the Project
Robus website.
Software Toolbox
Advisory
This advisory is a near duplicate of the Kepware advisory
discussed above except that it involves the Software Toolbox Top Server. If
this is, in fact, the second unresolved DNP3 vulnerability listed on the
Project Robus site, I kind of suspect that these two vendors may be the only
two with this specific implementation issue. Crain-Sistrunk would have looked
for this in other implementations; they are kind of thorough that way.
Posts
No comments:
Post a Comment