Denial of Service Vulnerability Fixed in SCADA Server

A hole has been fixed in an industrial control system data management server that if left unpatched could result in a remotely exploitable DoS condition.

A hole has been fixed in a popular industrial control system data management server that if left unpatched, could result in a remotely exploitable denial of service condition.

Subnet Solutions, Inc., a Canadian manufacturer of electric utility products, fixed the vulnerability – along with another related vulnerability – with a hot fix this week.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) meanwhile warned about the vulnerability in an advisory posted to its site yesterday.

Adam Crain of Automatak and Chris Sistrunk of Mandiant discovered the vulnerability, a buffer overflow flaw, earlier this summer. Specifically the vulnerability affects the company’s SubSTATION Server 2, Telegyr 8979 Master (.PDF) application.

Crain and Sistrunk found that by sending a specially crafted packet of information to the server that goes over the data length it expects, an attacker could trigger a buffer overflow and crash the system.

Subnet went on to discover that even if a specially crafted packet containing a valid data length was sent to the server, any messages sent immediately afterwards, thanks to a root issue in the server’s GPT software library, would also crash the service.

While there don’t appear to be any public exploits against the vulnerability and crafting one would be difficult according to ICS-CERT, those looking to patch the issue can contact Subnet’s support department, which is distributing the hot fix via secure FTP.

The software primarily helps manage SCADA systems in the power utility industry, and is used in the regulation of oil, gas, and electric utilities. The server “performs data concentration, protocol translation, automation logic, event file collection, and enterprise connectivity,” according to the ICS advisory.

As in the past, the duo used Automatak’s Project Robus, a tool to sniff out zero days and other vulnerabilities in the way that SCADA and ICS protocols are implemented in systems, to fuzz out the Subnet vulnerability.

Suggested articles