Cooper Power Systems created a new firmware version that mitigates an improper input validation vulnerability in its SMP Gateway DNP3 protocol components, according to a report on ICS-CERT.
Adam Crain of Automatak and independent researcher Chris Sistrunk, who found the vulnerability, tested the new firmware version to validate that it resolves the remotely exploitable vulnerability.
The following Cooper Power Systems products suffer from the issue:
• SMP 16 Gateway (Data Concentrator), all versions,
• SMP 4 Gateway (Data Concentrator), all versions, and
• SMP 4/DP Gateway (Data Concentrator), all versions.
An attacker could make the SMP Gateway reboot by sending a specially crafted TCP packet on an IP based network. If the device connects via a serial connection, the same attack can occur with physical access to the SMP Gateway. In most cases, the SMP Gateway will restart and resume communications. In more severe cases, when the device connects via a serial connection, the SMP Gateway may need to manually reset.
Cooper Power Systems is a U.S.-based company that maintains offices in several countries around the world, including the United States and Canada.
The affected product, SMP Gateway, is a data concentrator. The SMP Gateway mainly deploys across the energy sector, according to Cooper Power Systems. Cooper Power Systems estimates these products see use primarily in North America, Latin America, and Oceania.
As this vulnerability affects Internet Protocol-connected and serial-connected devices, two CVSS scores have been calculated.
The SMP Gateway DNP3 component incorrectly validates input. An attacker could cause a reboot or the failure of a communications link with a specifically crafted TCP packet. In the case where the attacked communications link fails, all other SMP Gateway services and connections remain fully operational and only the attacked communications link will become unresponsive. Communications will automatically reestablish when the master station attempts to reconnect to the unresponsive link. If the attack causes a reboot, communications will resume once the SMP Gateway restarts.
The following scoring is for IP-connected devices.
CVE-2013-2813 is the case number been assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
The SMP Gateway DNP3 component incorrectly validates input. An attacker could cause a reboot or the failure of a communications link with a specifically crafted packet. If the attack causes a reboot, communications will resume once the SMP Gateway restarts. In the case where the attacked communications link fails, all other SMP Gateway services and connections remain fully operational and only the attacked connection will become unresponsive. However, it may be necessary to manually reset the system to restore communications on the attacked connection. This can occur remotely by an authorized user using the maintenance tools.
The following scoring is for serial-connected devices: CVE- 2013-2816 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.
The IP-based vulnerability is remotely exploitable. The serial-based vulnerability is not remotely exploitable. Local access to the serial-based outstation is required.
While there are no known public exploits specifically target this vulnerability, an attacker with a moderate skill could craft a TCP packet that would be able to exploit the vulnerability for an IP-based device. An attacker with a high skill could exploit the serial-based vulnerability because physical access to the device or some amount of social engineering is required.
Cooper Power Systems produced a new version of the SMP Gateway firmware that is available for download from the customer support Web portal.
In addition, Cooper Power Systems recommends the following mitigation measure: Users of the SMP Gateway should ensure that slave connections end up configured to only accept connections from specific IP addresses or address ranges.
The security researchers suggest the following mitigation: Block DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DPN3-specific rule sets.