ID CVE-2013-2798 Type cve Reporter cve@mitre.org Modified 2013-08-12T20:23:00
Description
Schweitzer Engineering Laboratories (SEL) SEL-2241, SEL-3505, and SEL-3530 RTAC master devices allow physically proximate attackers to cause a denial of service (infinite loop) via crafted input over a serial line.
{"ics": [{"lastseen": "2020-07-07T17:26:07", "bulletinFamily": "info", "description": "## Overview\n\nAdam Crain of Automatak and independent researcher Chris Sistrunk have identified improper DNP3 input validation in Schweitzer Engineering Laboratories\u2019 real-time automation controllers (RTAC). Schweitzer Engineering Laboratories (SEL) has produced updated firmware that mitigates this vulnerability. Adam Crain and Chris Sistrunk tested this version to validate that it resolves the vulnerability. This vulnerability could be exploited remotely.\n\n## Affected Products\n\nThe following SEL products are affected:\n\n\u00b7 SEL-3530-R100 -V0-Z001001-D20090915 through SEL-3530- SEL-3530-R123-V0-Z002001\n\n\u00b7 SEL-3530-4-R107-V0-Z001001-D20100818 through SEL-3530-4-R123-V0-Z002001-D20130117\n\n\u00b7 SEL-3505-R119-V0-Z001001-D20120720 through SEL-3505-R123-V0-Z002001-D20130117\n\n\u00b7 SEL-2241-R113-V0-Z001001-D20110721 through SEL-2241-R123-V0-Z002001-D20130117 \n\n## Impact\n\nThe RTAC master device can be sent into an infinite loop by sending a specially crafted TCP packet from the master station on an IP-based network. If the device is connected via a serial connection, the same attack can be accomplished with physical access to the master station. In certain conditions the DNP3 driver will automatically restart and resume communications. Under more severe conditions the device ALARM contact will assert indicating a problem and the device configuration settings must be reloaded.\n\nImpact to individual organizations depends on many factors that are unique to each organization. ICS\u2011CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.\n\n## Background\n\nSEL is a US-based company that maintains offices in the United States and around the world.\n\nThe affected products are RTACs designed for industrial environments. These devices are mostly used in the electric utilities subsector of the energy sector. SEL estimates that these products are used primarily in North America and Europe with a small percentage in Asia.\n\n## Vulnerability Characterization\n\n### Vulnerability Overview\n\nAs this vulnerability affects Internet Protocol-connected and serial-connected devices, two CVSS scores have been calculated.\n\n### IMPROPER INPUT VALIDATION - IP-Baseda\n\nThe SEL RTAC master does not validate or incorrectly validates input. An attacker could cause the software to go into an infinite loop, causing the process to crash. In certain conditions the DNP3 driver will automatically restart and resume communications. Under more severe conditions the device ALARM contact will assert indicating a problem and the device configuration settings must be reloaded.\n\nThe following scoring is for IP-connected devices.\n\nCVE-2013-2792b has been assigned to this vulnerability. A CVSS v2 base score of 7.1 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:N/A:C).c\n\n### IMPROPER INPUT VALIDATION - Serial-Basedd\n\nThe SEL RTAC master does not validate or incorrectly validate input. An attacker could cause the software to go into an infinite loop, causing the process to crash. In certain conditions the DNP3 driver will automatically restart and resume communications. Under more severe conditions the device ALARM contact will assert indicating a problem and the device configuration settings must be reloaded.\n\nThe following scoring is for serial-connected devices.\n\nCVE- 2013-2798e has been assigned to this vulnerability. A CVSS v2 base score of 4.7 has been assigned; the CVSS vector string is (AV:L/AC:M/Au:N/C:N/I:N/A:C)f.\n\n### Vulnerability Details\n\n#### Exploitability\n\nThe IP-based vulnerability could be exploited remotely.\n\nThe serial-based vulnerability is not remotely exploitable. Local access to the serial-based outstation is required.\n\n#### Existence of Exploit\n\nNo known public exploits specifically target these vulnerabilities.\n\n#### Difficulty\n\nAn attacker with a moderate skill level could craft an IP packet that would be able to exploit this vulnerability for an IP-based device.\n\nAn attacker with a high skill level could exploit serial-based vulnerability as physical access to the device or some amount of social engineering is required.\n\n## Mitigation\n\nSEL recommends that customers affected by this issue should contact their SEL Sales Representative or Customer Service Representative to obtain a free firmware upgrade CD-ROM packet, including upgrade instructions.\n\nIn addition, the researchers suggest the following mitigations:\n\n\u00b7 Block DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DPN3-specific rule sets.\n\nICS\u2011CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.\n\n\u00b7 Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.\n\n\u00b7 Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n\n\u00b7 When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies_.g_ ICS\u2011CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, ICS-TIP-12-146-01B\u2014Targeted Cyber Intrusion Detection and Mitigation Strategies,h that is available for download from the ICS-CERT Web page (http://ics-cert.us-cert.gov/).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS\u2011CERT for tracking and correlation against other incidents.\n\n \n\n\n * a. CWE-20: Improper Input Validation, http://cwe.mitre.org/data/definitions/20.html, Web site last accessed August 06, 2013.\n * b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2792, NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory.\n * c. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C, Web site last accessed August 06, 2013.\n * d. CWE-20: Improper Input Validation, http://cwe.mitre.org/data/definitions/20.html, Web site last accessed August 06, 2013.\n * e. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2798, NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory.\n * f. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:L/AC:M/Au:N/C:N/I:N/A:C, Web site last accessed August 06, 2013.\n * g. CSSP Recommended Practices, http://ics-cert.us-cert.gov/content/recommended-practices, Web site last accessed August 06, 2013.\n * h. Targeted Cyber Intrusion Detection and Mitigation Strategies, http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B, Web site last accessed August 06, 2013.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://www.us-cert.gov/ics \nor incident reporting: https://www.us-cert.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\nWas this document helpful? Yes | Somewhat | No\n", "modified": "2013-08-12T00:00:00", "published": "2013-08-07T00:00:00", "id": "ICSA-13-219-01", "href": "https://www.us-cert.gov//ics/advisories/ICSA-13-219-01", "title": "Schweitzer Engineering Laboratories Improper Input Validation", "type": "ics", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}]}
