U.S. Flag Official website of the Department of Homeland Security

Advisory (ICSA-13-282-01A)

Alstom e-Terracontrol DNP3 Master Improper Input Validation (Update A)

Original release date: October 21, 2013 | Last revised: December 17, 2013

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



OVERVIEW

This updated advisory is a follow-up to the original advisory titled ICSA-13-282-01, Alstom e‑terracontrol DNP3 Master Improper Input Validation, which was posted to the NCCIC/ICS‑CERT Web site October 09, 2013.

Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation in the Alstom e-terracontrol software. Alstom has produced a patch that mitigates this vulnerability. Adam Crain and Chris Sistrunk have tested the patch to validate that it resolves the vulnerability.

This vulnerability could be exploited remotely.

AFFECTED PRODUCTS

The following Alstom product is affected:

  • e-terracontrol, Version 3.5, 3.6, and 3.7

IMPACT

--------- Begin Update A Part 1 of 4 --------

The master can be sent into an infinite loop by sending a specially crafted TCP packet from the outstation on an IP-based network. If the device is connected via a serial connection, the same attack can be accomplished with physical access to the master station. The device must be shut down and restarted to reset the loop state.

--------- End Update A Part 1 of 4 ----------

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS‑CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

Alstom is a France-based company that maintains offices worldwide.

The affected product, Alstom e-terracontrol software, is used on SCADA systems to monitor and control electrical energy systems. According to Alstom, e-terracontrol software is deployed across the electric energy sector. Alstom estimates that these products are used primarily in the US and Europe with a small percentage in Asia.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

--------- Begin Update A Part 2 of 4 --------

As this vulnerability affects Internet Protocol-connected and Serial-connected devices, two CVSS scores have been calculated.

IMPROPER INPUT VALIDATION-IP-BASEDa

The Alstom e-terracontrol DNP Master Driver incorrectly validates input. An attacker could cause the software to go into an infinite loop with a specifically crafted TCP packet, causing the process to crash. If the Alstom e-terracontrol settings are configured to automatically restart, the DNP3 service will automatically restart and resume communications. Otherwise, the system must be restarted manually.

The following scoring is for IP-connected devices.

CVE-2013-2787b has been assigned to this vulnerability. A CVSS v2 base score of 7.1 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:N/A:C).c

IMPROPER INPUT VALIDATION-SERIAL-BASEDd

The Alstom e-terracontrol DNP Master Driver incorrectly validates input. An attacker could cause the software to go into an infinite loop, causing the process to crash. If the Alstom e‑terracontrol settings are configured to automatically restart, the DNP3 service will automatically restart and resume communications. Otherwise, the system must be restarted manually.

The following scoring is for serial-connected devices.

CVE- 2013-2818e has been assigned to this vulnerability. A CVSS v2 base score of 4.7 has been assigned; the CVSS vector string is (AV:L/AC:M/Au:N/C:N/I:N/A:C).f

--------- End Update A Part 2 of 4 ----------

VULNERABILITY DETAILS

EXPLOITABILITY

--------- Begin Update A Part 3 of 4 --------

The IP-based vulnerability could be exploited remotely.

The serial-based vulnerability is not exploitable remotely. Local access to the serial-based outstation is required.

--------- End Update A Part 3 of 4 ----------

EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.

DIFFICULTY

--------- Begin Update A Part 4 of 4 --------

An attacker with a moderate skill could craft an IP packet that would be able to exploit the vulnerability for an IP-based device.

An attacker with a high skill could exploit the serial-based vulnerability because physical access to the device or some amount of social engineering is required.

--------- End Update A Part 4 of 4 ----------

MITIGATION

Alstom has produced a patch that is available for download from the Alstom Grid Customer Wise portal. Customers are encouraged to contact their Alstom representative for download information.

NCCIC/ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

In addition, the researchers' suggest the following mitigations:

  • Block DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DPN3-specific rule sets.

NCCIC/ICS-CERT also provides a section for control systems security recommended practices on the NCCIC/ICS-CERT Web site. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.g NCCIC/ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

Additional mitigation guidance and recommended practices are publicly available in the NCCIC/ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B—Targeted Cyber Intrusion Mitigation Strategies,h that is available for download from the NCCIC/ICS-CERT Web site (http://ics-cert.us-cert.gov/).

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC/ICS-CERT for tracking and correlation against other incidents.


Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov

ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top