IOServer created an updated software version that mitigates the improper input validation vulnerability in the DNP3 driver software, according to a report on ICS-CERT.
Adam Crain of Automatak and independent research Chris Sistrunk, who found the remotely exploitable vulnerability, updated and tested this version and validates that this vulnerability is resolved.
The IOServer vulnerability affects supported drivers, v188.8.131.52.
The outstation can go into an infinite loop by sending a specially crafted TCP packet, known as “TCP Connection Hijacking.” The device must shut down and then restarted to reset the loop state.
IOServer is a small software company based in New Zealand. The IOServer DNP3 drivers allow communication between the master and slave outstations as well as interpretation for some historical and configuration functions. IOServer said this software works across several sectors including manufacturing, building automation, oil and gas, pipeline, and electric utilities, among others. IOServer said these products see use primarily in Europe, Asia, South America, and Australia. The product has some use in the United States and Canada.
The IOServer driver product does not validate or incorrectly validate input on Port 20000/TCP that can affect the control flow or data flow of a program. When this software does not validate input properly, an attacker is able to craft the input in a form not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow or arbitrary control of a resource.
As a result, the IOServer enters an infinite loop condition without an exit. The users must then manually restart the system. CVE-2013-2783 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
No known public exploits specifically target this vulnerability and creating a working exploit for this vulnerability would take some work from a moderately skilled attacker.
IOServer created an updated beta driver package that is available on their Web site.