Catapult Software DNP3 Driver Improper Input Validation
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
This advisory was originally posted to the US-CERT secure Portal library on October 24, 2013, and is now being released to the NCCIC/ICS-CERT Web site.
Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation in Catapult Software’s DNP3 Driver software. Catapult Software has produced an updated software version that mitigates this vulnerability. Adam Crain and Chris Sistrunk tested the updated software to validate that it resolves the vulnerability.
This driver is used with General Electric (GE) Intelligent Platform’s Proficy iFIX and CIMPLICITY products. Please see ICSA-13-297-02 GE Proficy DNP3 Improper Input Validation for specific GE mitigations.
This vulnerability could be exploited remotely.
The following Catapult Software product is affected:
- Catapult Software DNP driver (“DNP”): Version 7.20.56, and
- Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) – iFIX or CIMPLICITY servers with the vulnerable I/O Driver installed (this includes iFIX or CIMPLICITY installations that are part of Proficy Process Systems).
The use of this driver can cause the human-machine interface (HMI) to be put into a denial‑of‑service (DoS) condition by sending a specially crafted transmission control protocol (TCP) packet from the outstation on an IP-based network. If the device is connected via a serial connection, the same attack can be accomplished with physical access to the outstation. The device must be shut down and restarted to recover from the DoS.
Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Catapult Software is based in New Zealand and specializes in SCADA/HMI software development.
The affected product, DNP 3.0 driver, was designed to be used with GE Intelligent Platforms’ iFIX and CIMPLICITY products, which are Web-based SCADA/HMI systems. According to Catapult Software, the driver and SCADA systems are deployed across several sectors, including oil and gas, water and wastewater, and electric utilities.
As this vulnerability affects Internet Protocol-connected and Serial-connected devices, two CVSS scores have been calculated.
IMPROPER INPUT VALIDATION-IP-BASEDa
The Catapult Software DNP3 driver, used in the GE iFIX and CIMPLICITY products, does not validate input correctly. An attacker could cause the software to go into an infinite loop by sending a specifically crafted TCP packet, causing the process to crash.
IMPROPER INPUT VALIDATION-SERIAL-BASEd
The Catapult Software DNP3 driver, used in the GE iFIX and CIMPLICITY products, does not validate input correctly. An attacker could cause the software to go into an infinite loop, causing the process to crash. The system must be restarted manually to clear the condition.
The following scoring is for serial-connected devices.
This vulnerability can be exploited remotely.
EXISTENCE OF EXPLOIT
No known public exploits specifically target this vulnerability.
An attacker with a moderate skill would be able to exploit this vulnerability.
An updated driver is available from Catapult Software. Installing Version 7.20.60 (GE IP 7.20k) of the DNP driver or newer will address this issue. The driver is available for download by registering for support at http://catapultsoftware.com/support.
In addition, the driver update is also available from GE at http://support.ge-ip.com.
The researchers suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DNP3-specific rule sets to add an additional layer of protection.
NCCIC/ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
NCCIC/ICS-CERT also provides a section for control systems security recommended practices on the NCCIC/ICS-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.g NCCIC/ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the NCCIC/ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B—Targeted Cyber Intrusion Detection and Mitigation Strategies,h that is available for download from the NCCIC/ICS-CERT Web page (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC/ICS-CERT for tracking and correlation against other incidents.
- a. CWE-20: Improper Input Validation, http://cwe.mitre.org/data/definitions/20.html, Web site last accessed November 19, 2013.
- b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2811, NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory.
- c. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C, Web site last accessed November 19, 2013.
- d. CWE-20: Improper Input Validation, http://cwe.mitre.org/data/definitions/20.html, Web site last accessed November 19, 2013.
- e. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2823, NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory.
- f. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:L/AC:M/Au:N/C:N/I:N/A:C, Web site last accessed November 19, 2013.
- g. CSSP Recommended Practices, http://ics-cert.us-cert.gov/content/recommended-practices, Web site last accessed November 19, 2013.
- h. Target Cyber Intrusion Detection and Mitigation Strategies, http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B, Web site last accessed November 19, 2013.
For any questions related to this report, please contact ICS-CERT at:
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900
For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov
ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.