All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
This updated advisory is a follow-up to the original advisory titled ICSA-13-282-01, Alstom e‑terracontrol DNP3 Master Improper Input Validation, which was posted to the NCCIC/ICS‑CERT Web site October 09, 2013.
Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation in the Alstom e-terracontrol software. Alstom has produced a patch that mitigates this vulnerability. Adam Crain and Chris Sistrunk have tested the patch to validate that it resolves the vulnerability.
This vulnerability could be exploited remotely.
The following Alstom product is affected:
- e-terracontrol, Version 3.5, 3.6, and 3.7
--------- Begin Update A Part 1 of 4 --------
The master can be sent into an infinite loop by sending a specially crafted TCP packet from the outstation on an IP-based network. If the device is connected via a serial connection, the same attack can be accomplished with physical access to the master station. The device must be shut down and restarted to reset the loop state.
--------- End Update A Part 1 of 4 ----------
Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS‑CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Alstom is a France-based company that maintains offices worldwide.
The affected product, Alstom e-terracontrol software, is used on SCADA systems to monitor and control electrical energy systems. According to Alstom, e-terracontrol software is deployed across the electric energy sector. Alstom estimates that these products are used primarily in the US and Europe with a small percentage in Asia.
--------- Begin Update A Part 2 of 4 --------
As this vulnerability affects Internet Protocol-connected and Serial-connected devices, two CVSS scores have been calculated.
IMPROPER INPUT VALIDATION-IP-BASEDa
The Alstom e-terracontrol DNP Master Driver incorrectly validates input. An attacker could cause the software to go into an infinite loop with a specifically crafted TCP packet, causing the process to crash. If the Alstom e-terracontrol settings are configured to automatically restart, the DNP3 service will automatically restart and resume communications. Otherwise, the system must be restarted manually.
The following scoring is for IP-connected devices.
IMPROPER INPUT VALIDATION-SERIAL-BASEDd
The Alstom e-terracontrol DNP Master Driver incorrectly validates input. An attacker could cause the software to go into an infinite loop, causing the process to crash. If the Alstom e‑terracontrol settings are configured to automatically restart, the DNP3 service will automatically restart and resume communications. Otherwise, the system must be restarted manually.
The following scoring is for serial-connected devices.
--------- End Update A Part 2 of 4 ----------
--------- Begin Update A Part 3 of 4 --------
The IP-based vulnerability could be exploited remotely.
The serial-based vulnerability is not exploitable remotely. Local access to the serial-based outstation is required.
--------- End Update A Part 3 of 4 ----------
EXISTENCE OF EXPLOIT
No known public exploits specifically target this vulnerability.
--------- Begin Update A Part 4 of 4 --------
An attacker with a moderate skill could craft an IP packet that would be able to exploit the vulnerability for an IP-based device.
An attacker with a high skill could exploit the serial-based vulnerability because physical access to the device or some amount of social engineering is required.
--------- End Update A Part 4 of 4 ----------
Alstom has produced a patch that is available for download from the Alstom Grid Customer Wise portal. Customers are encouraged to contact their Alstom representative for download information.
NCCIC/ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
In addition, the researchers' suggest the following mitigations:
- Block DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DPN3-specific rule sets.
NCCIC/ICS-CERT also provides a section for control systems security recommended practices on the NCCIC/ICS-CERT Web site. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.g NCCIC/ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the NCCIC/ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B—Targeted Cyber Intrusion Mitigation Strategies,h that is available for download from the NCCIC/ICS-CERT Web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC/ICS-CERT for tracking and correlation against other incidents.
- a. CWE-20: Improper Input Validation, http://cwe.mitre.org/data/definitions/20.html, Web site last accessed October 09, 2013.
- b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2787, Web site last accessed October 21, 2013.
- c. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C, Web site last accessed October 09, 2013.
- d. CWE-20: Improper Input Validation, http://cwe.mitre.org/data/definitions/20.html, Web site last accessed October 21, 2013.
- e. NVD, http://Web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2818, NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory.
- f. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:L/AC:M/Au:N/C:N/I:N/A:C, Web site last accessed October 21, 2013.
- g. CSSP Recommended Practices, http://ics-cert.us-cert.gov/content/recommended-practices, Web site last accessed October 09, 2013.
- h. Targeted Cyber Intrusion Detection and Mitigation Strategies, http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B, Web site last accessed October 09, 2013.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.