Schneider Electric is working on a fix to handle a vulnerability in its Triconex Tristation Emulator’s Triconex System Access Application (TSAA) communication stack, according to a report from the security firm Applied Risk.
The vulnerability is in the emulator tool, which could cause a denial of service (DoS) in the tool.
The emulator is used infrequently for application logic testing. It is susceptible to an attack only while running in off-line mode. This vulnerability does not exist in Triconex hardware products and therefore has no effect on the operating safety functions in a plant, according to Schneider Electric.
There are no known public exploits which target this vulnerability, discovered by Tom Westenberg at Applied Risk.
Triconex TriStation Emulator version 1.2.0 (installed as part of Triconex TriStation 1131 version 4.9.0) suffers from the issue.
The latest version of the Triconex TriStation Emulator is installed with the TriStation 1131 software. The Triconex TriStation Emulator is software that allows users to emulate and execute TriStation 1131 applications without connecting to a Tricon, Trident, or Tri-GP controller. Using the Emulator, users can test applications in an offline environment, without exposing their online processes to potential application errors.
Schneider Electric Triconex technology is certified by TÜV Rheinland for use in safety applications up to safety integrity level 3 (SIL3).
The Emulator vulnerability can be triggered by sending a specifically crafted TSAA packet(s) over a network. These packets are sent to the victim using UDP port 1500. Multiple unique packets were identified to cause DoS vulnerabilities.
Communication settings within Triconex TriStation Emulator allow configuration of different Node Numbers. The specifically crafted TSAA packet is required to match the victim’s Node Number for successful exploitation.
The vulnerability is likely to be caused through unhandled exceptions in the Triconex TriStation Emulator’s TSAA network stack.
Applied Risk has calculated a CVSSv3 score of 7.5 for this vulnerability.
Schneider Electric indicated a patch will be ready in July.
Schneider recommends to follow the general security recommendations:
• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Physical controls should be in place so that no unauthorized person would have access to the ICS and safety controllers, peripheral equipment or the ICS and safety networks.
• All programming software should be kept in locked cabinets and should never be connected to any network other than the network for the devices that it is intended.
• All methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. should be scanned before use in the terminals or any node connected to these networks.
• Laptops that have connected to any other network besides the intended network should never be allowed to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.