Identical Twin ICS-CERT DNP3 Advisories Published

Today the DSH ICS-CERT published two virtually identical DNP3 advisories for twin improper input validation vulnerabilities in Catapult Software DNP3 Drivers and GE Proficy platform. The reason that they are nearly identical is because the Proficy vulnerability is due to the use of the Catapult Software drivers. Since these are familiar DNP3 vulnerabilities, it should come as no surprise that they were first reported by the team of Crain and Sistrunk. Technically, GE self-reported their vulnerability when notified of the problem by Catapult Software.

These are the same IP-based and serial-based validation vulnerabilities that we have seen before in similar Crain-Sistrunk based advisories. ICS-CERT reports that the IP-based vulnerability has a higher CVSS v2 base score (7.1 vs 4.7) but that reflects the fact that the IP-based vulnerability can be more easily exploited remotely. Many cybersecurity commentators (though certainly not all) note that physically accessing the serial connection may actually be easier at remote, low-security sites.

Catapult Software has produced updated software that mitigates both their system vulnerabilities and the Proficy vulnerabilities. The Catapult advisory does report that Crain and Sistrunk have validated the efficacy of the new software version. While that is not specifically mentioned in the GE advisory, I would assume that the same validation applies to the Proficy issues.

The Automatak web site reports these vulnerabilities as numbers 10 and 11 of the 25 vulnerable systems that they have discovered. I wonder how many of the remaining 14 are also based upon either the Catapult system or the earlier Triangle Microworks library. Both have obviously been made available (sold) to other vendors. Of course, it is also possible that Crain and Sistrunk have not yet found all of the system vulnerabilities since they have apparently stopped looking for these vulnerabilities; no challenge left I suppose.

Hopefully, any unidentified DNP3 vendors will take the leads posted by these two and self-correct and self-report their problems without being identified by Project Robus.

NOTE: A quick update from an Adam Crain Tweet® - None of the remaining vulns are catapult related. Should probably read 11/26 now, but we've kinda stopped counting.