There is an update to the Alstom e-terracontrol software vulnerability where the company created a patch that mitigates improper input validation vulnerability, according to a report on ICS-CERT.
Adam Crain of Automatak and independent researcher Chris Sistrunk tested the patch to validate that it resolves the remotely exploitable vulnerability.
The following Alstom product suffers from the issue: e-terracontrol, Version 3.5, 3.6, and 3.7.
The master can end up in an infinite loop by sending a specially crafted TCP packet from the outstation on an IP-based network. If the user connects the device via a serial connection, the same attack can occur with physical access to the master station. The device must then shut down and restart to reset the loop state.
Alstom is a France-based company that maintains offices worldwide.
The affected product, Alstom e-terracontrol software, sees use in SCADA systems to monitor and control electrical energy systems. According to Alstom, e-terracontrol software sees deployment across the electric energy sector. Alstom estimated these products see use mainly in the U.S. and Europe with a small percentage in Asia.
As this vulnerability affects Internet Protocol-connected and Serial-connected devices, there are two CVSS scores.
The Alstom e-terracontrol DNP Master Driver incorrectly validates input. An attacker could cause the software to go into an infinite loop with a specifically crafted TCP packet, causing the process to crash. If the Alstom e-terracontrol settings end up configured to automatically restart, the DNP3 service will automatically restart and resume communications. Otherwise, the system must restart manually.
The following scoring is for IP-connected devices: CVE-2013-2787 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
The Alstom e-terracontrol DNP Master Driver incorrectly validates input. An attacker could cause the software to go into an infinite loop, causing the process to crash. If the Alstom e terracontrol settings end up configured to automatically restart, the DNP3 service will automatically restart and resume communications. Otherwise, the system must be restart manually.
The following scoring is for serial-connected devices: CVE- 2013-2818 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.
The IP-based vulnerability could end up exploited remotely, but the serial-based vulnerability is not exploitable remotely. There must be local access to the serial-based outstation.
No known public exploits specifically target this vulnerability, but an attacker with a moderate skill could craft an IP packet that would be able to exploit the vulnerability for an IP-based device.
An attacker with a high skill could exploit the serial-based vulnerability because there must be physical access to the device or some amount of social engineering.
Alstom produced a patch that is available for download from the Alstom Grid Customer Wise portal. Users should contact their Alstom representative for download information.