Brazilian process management software developer Elipse has patched a serious denial-of-service vulnerability in its web-based Elipse SCADA application.
The software is used in a number of critical industries worldwide, including manufacturing, energy, water and wastewater plants.
The vulnerability was discovered in the DNP3 deployment used in Elipse SCADA; a new version of the product’s DNP3 driver has been published. DNP, or Distributed Network Protocol, is a communication protocol used in process automation systems, mainly in electric and water plants.
Operators are urged to update the driver in:
- Elipse SCADA 2.29 build 141 and prior w/ DNP3 driver,
- Elipse E3 versions V1.0 to V4.6,
- Elipse Power systems Versions V1.0 to V4.6, and
- DNP 3.0 Master v3.02 and prior
“An attacker exploiting this vulnerability can cause the process to be disabled until it is manually restarted,” said the Industrial Control System Cyber Emergency Response Team (ICS-CERT) in an advisory.
The vulnerability behaves differently depending on the deployment. Researchers Adam Crain and Chris Sistrunk reported the vulnerability; service interruption in Elipse E3 and Elipse Power systems is about 30 seconds whereas Elipse SCADA is down until the system is restarted, they said.
Crain and Sistrunk said the vulnerability can be exploited remotely, though none have been spotted in the wild.
“It’s a denial of service (precisely it was an ‘infinite loop’) in the master (client) side. So an attacker could go to any endpoint device and then trash the central monitoring server,” Crain told Threatpost.
Elipse DNP Master Driver v4.0.021 mitigates the vulnerability.
Crain said this continues a trend of similar vulnerabilities in other SCADA and ICS gear.
“The software for an entire industry is full of bugs like this, and others,” he said.
Patching this issue, like others with software running critical infrastructure, may cause temporary service interruption, and organizations reticent to deal with downtime may hold off and thus extend their exposure.
“Updating and patching would almost certainly require some down time,” Crain said. “Maybe less if the site has a redundant system (i.e. patch the primary, let the secondary take over), and then restore the primary when done patch the secondary.”
ICS-CERT suggests that control systems should not be accessible from the Internet and locate them, and remote devices, behind a firewall and away from business networks that need Internet connectivity. Remote access, meanwhile, should happen over a VPN connection, ICS-CERT said.
ICS-CERT also released an update to an alert from last week with additional patches announced for remote code execution vulnerabilities in Siemens WinCC deployments. Two critical flaws, likely being exploited, were patched Nov. 26 for SIMANTIC WinCC, SIMANTIC PCS7 and TIA Portal. The WinCC application is a SCADA program used for process visualization in a number of industries and is considered the industry standard, according to Siemens. Within the Simantic product line, for example, is integrated into the HMI, or Human Machine Interface, component. TIA Portal, meanwhile, is engineering software used in the Simantic product line.
Successful exploits of these vulnerabilities allow for remote code execution and for the attacker to steal files from a server running WinCC, ICS-CERT said.
Patches were not complete last week for all products running the vulnerable software, but Siemens has pushed out another batch of fixes, and urges operators running the WinCC app to apply them immediately.
The new updates are as follows, according to ICS-CERT:
- TIA Portal V13 (including WinCC Professional Runtime) – Upgrade to WinCC V13 Update 6
- WinCC 7.2—Upgrade to WinCC 7.2 Update 9
- PCS 7 V8.0 SP2—Upgrade to WinCC 7.2 Update 9; Upgrade to OpenPCS 7 V8.0.1 Update 5; Upgrade to Route Control V8.0.1 Update 4; Upgrade to BATCH V8.0.1 Update 11
- WinCC 7.3—Upgrade to WinCC 7.3 Update 2
- PCS 7 V8.1—Upgrade to WinCC 7.3 Update 2
- Upgrade to OpenPCS 7 V8.1 Update 1 is in preparation.
- Upgrade to Route Control V8.1 Update 1 is in preparation.
- Upgrade to BATCH V8.1.1 Update 1 is in preparation.