Sixnet created a new version of the remote terminal unit (RTU) firmware that mitigates the undocumented function codes in its universal protocol, according to a report on ICS-CERT.
This vulnerability, discovered by independent researcher Mehdi Sabraoui, could end up exploited remotely. The Intelligent Systems Research Lab at the University of Louisville tested the new version to validate it resolves the vulnerability.
The following Sixnet products suffer from the issue: Versions older than UDR 2.0, and RTU firmware older than Version 4.8.
An attacker who has access to the network where this RTU resides may use undocumented function codes to obtain file descriptors and file sizes, to read and write to files, to create new files, or to open a shell on the target machine to execute arbitrary code.
Sixnet is a U.S.-based company owned by Red Lion Controls.
The affected RTU products, RTU firmware, are SCADA systems that send real-time data from distributed locations to a human-machine interface in a central location. According to Sixnet, their RTU products deploy across several sectors including energy, transportation, commercial facilities, and finance. Sixnet estimates these products see use primarily in North America, Europe, and Asia.
Undocumented functions are available to use in the Sixnet universal protocol. The researcher found six different opcodes that allow a user (or an attacker) to execute file and shell tasks. The device does not require an authenticated session before it accepts these opcodes.
CVE-2013-2802 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
An attacker must have access to the network where the RTU resides. While no known public exploits specifically target this vulnerability, an attacker with a low skill would be able to exploit this vulnerability.
Sixnet has released a new version of the RTU firmware, Version 4.8, which adds authentication so only authorized users may access the device. Contact Sixnet support for more information about this issue and firmware Version 4.8.
Click here for Sixnet software and firmware downloads.