General Electric (GE) Intelligent Platforms reported an improper input validation vulnerability in the DNP3 driver used with Proficy products iFIX and CIMPLICITY, according to a report on ICS-CERT.
The vulnerability report was part of a resolution by Catapult Software, which developed the driver for the GE products. Adam Crain of Automatak and independent researcher Chris Sistrunk originally reported the improper input validation vulnerability in the Catapult Software driver to ICS-CERT.
The following GE Intelligent Platforms suffer from the remotely exploitable vulnerability:
• Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) DNP3 I/O Driver (“DNP”): Version 7.20j (Catapult v184.108.40.206) and prior versions.
• Proficy HMI/SCADA—iFIX or CIMPLICITY servers with the vulnerable I/O Driver installed (this includes iFIX or CIMPLICITY installations that are part of Proficy Process Systems).
The master station can go into a denial-of-service (DoS) condition by sending a specially crafted transmission control protocol (TCP) packet from the outstation on an IP-based network. If the device ends up connected via a serial connection, the same attack can occur with physical access to the outstation. The device must shut down and then restarted to recover from the DoS.
GE is a U.S.-based company that maintains offices in several countries around the world.
The affected DNP3 driver products work in conjunction with Proficy, iFIX, and CIMPLICITY HMI/SCADA software. According to GE Proficy, iFIX and CIMPLICITY deploy across several sectors including oil and gas, water and wastewater, and electric utilities.
As this vulnerability affects Internet Protocol-connected and Serial-connected devices, there are two CVSS scores.
The Catapult Software DNP3 driver, used in the GE iFIX and CIMPLICITY products, does not validate input correctly. An attacker could cause the software to go into an infinite loop by sending a specifically crafted TCP packet, causing the process to crash.
CVE-2013-2811 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
The Catapult Software DNP3 driver, used in the GE iFIX and CIMPLICITY products, does not validate input correctly. An attacker could cause the software to go into an infinite loop, causing the process to crash. The system must restart manually to clear the condition.
The following scoring is for serial-connected devices. CVE-2013-2823 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.
No known public exploits specifically target this vulnerability and an attacker with a moderate skill would be able to exploit this vulnerability.
GE provided the following mitigations:
• Installing Version 7.20k (Catapult v220.127.116.11) of the DNP driver or newer will address this issue. To obtain the latest version of any I/O driver, visit GE’s Web site and in the right column look for “Quick Picks” > “Downloads” > “I/O Drivers.”
• DNP Distributed Network Protocol 3.0 v7.xx I/O Driver.
Click here for the GE Security Advisory on this issue.
In addition, the driver update is also available from Catapult Software.
The researchers suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DNP3-specific rule sets to add an additional layer of protection.