GE and Catapult Software mitigated an improper input validation in the DNP3 driver provided by Catapult for the GE Proficy HMI/SCADA products, according to a report on ICS-CERT.
GE tested the patch to validate that it resolves the remotely exploitable vulnerability, discovered by Adam Crain of Automatak.
The following GE Intelligent Platform software suffers from the issue:
• iFix (all versions): Catapult v7.20.62
• CIMPLICITY 8.2 and earlier: Catapult v8.2.62
• CIMPLICITY 9.0: Catapult v9.0.62
• Proficy HMI/SCADA DNP3 I/O Driver (“DNP): Version v7.20k (Catapult v7.20.60) and prior
• Proficy HMI/SCADA – iFIX or CIMPLICITY servers with the vulnerable I/O Driver installed (this includes iFIX or CIMPLICITY installations that are part of Proficy Process Systems)
This vulnerability can end up exploited by an attacker to generate an unhandled exception or denial of service.
New Zealand-based Catapult Software specializes in HMI/SCADA software development.
The affected product, DNP 3.0 driver, ended up designed to work with GE Intelligent Platforms’ iFIX and CIMPLICITY products, which are web-based HMI/SCADA systems. According to Catapult Software, the driver and SCADA systems see action across several sectors, including energy, and water and wastewater systems.
The DNP master station server (DNPDrv.exe) that processes incoming messages via Serial, IP, or Modem does not validate all inputs and an attacker could exploit it to generate an unhandled exception or denial of service.
CVE-2013-2811 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.
No known public exploits specifically target this vulnerability, however, an attacker with a low skill would be able to exploit this vulnerability.
Installing Version 7.20L of the DNP driver or newer will address this issue for the products below:
• IFix (all versions): Install DNP driver Version 7.20L (126.96.36.199) or newer
• CIMPLICITY 8.2 and earlier install DNP driver Version 188.8.131.52 or newer
• CIMPLICITY 9.0: Install DNP driver Version 184.108.40.206 or newer
To obtain the latest version of any I/O driver click on GE’s web site and, in the right column, look for “Quick Picks” > “Downloads” > “I/O Drivers.”