MatrikonOPC Multiple Product Vulnerabilities
ICSA： ICS Advisory (ICSA-13-106-01)
This advisory was originally posted to the US-CERT secure Portal library on April 16, 2013, and is now being released to the ICS-CERT Web page.
Independent researcher Dillon Beresford of Cimation has identified vulnerabilities in two MatrikonOPC products; MatrikonOPC A&E Historian and MatrikonOPC Security Gateway. MatrikonOPC has produced patches that mitigate these vulnerabilities. Mr. Beresford has tested the patches to validate that they resolve the vulnerabilities.
These vulnerabilities could be exploited remotely.
The following MatrikonOPC A&E Historian and MatrikonOPC Security Gateway versions are affected:
- MatrikonOPC A&E Historian Version 220.127.116.11, and
- MatrikonOPC Security Gateway Version 1.0.
By sending a specially crafted packet to Port 8543/TCP when the Health Monitor service is running, an attacker can exploit a directory traversal vulnerability and read any file on the server running the Historian Health Monitor service. When an attacker accesses a file on the affected system using this directory traversal mechanism, the file may be deleted by the MatrikonOPC software. MatrikonOPC has notified all affected customers.
The vulnerability that affects MatrikonOPC Security Gateway can cause a temporary denial of service by crashing a utility provided with, and used for configuration of, the OPC Security Gateway with an unhandled exception. This is accomplished by sending a reset command to Port 30544/TCP while the connection is active. Although this vulnerability can be remotely exploited, in practical terms the potential impact is relatively low. No arbitrary code exploit is possible, and the OPC Security Gateway continues to function.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
MatrikonOPC is a US-based company whose products serve the oil and gas, mining, power and utilities, petrochemical, and other industries. MatrikonOPC products are primarily used in the US, Canada, and UK.
The first affected product, MatrikonOPC A&E Historian, records alarms and events that occur within an ICS OPC network. The MatrikonOPC A&E Historian includes a Health Monitor service that allows the user to monitor the health and performance of the Historian’s Web server and servlets.
The second affected product, the MatrikonOPC Security Gateway provides a link between an ICS OPC network and external networks to provide traffic isolation and enforce security policies. This product can be used in OPC network applications and is installed mainly in the US, Canada, and the UK.
The MatrikonOPC A&E Historian incorporates a Health Monitor service that publishes a Web interface to allow users to monitor control components and activities on the ICS network. This Web interface has a vulnerability where a user can access system files by modifying the URL in a browser.
A valid TCP/IP reset packet (RST) sent to Port 30544/TCP causes the configuration utility to crash with an unhandled exception.
These vulnerabilities could be exploited remotely.
Existence of Exploit
No known public exploits specifically target these vulnerabilities.
An attacker with a low skill would be able to exploit these vulnerabilities, if the devices are exposed to the Internet.
MatrikonOPC has produced patches that mitigate these vulnerabilities. The patches can be downloaded and installed using the following process:
- Log into MatrikonOPC’s support portal at http://www.matrikonopc.com/login/index.aspx.
- Select the Online Support tab.
- Scroll down to the Product Advisory topic.
- Click on Security Notification for A&E Historian or Security Gateway.
- Read the vendor advisory and download the patch using the patch link.
- Run the patch installer on the computer running the affected software product.
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
- Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B—Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
- Do not click Web links or open unsolicited attachments in email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
- 1. CWE-22: Path Traversal, http://cwe.mitre.org/data/definitions/22.html, Web site last accessed April 26, 2013.
- 2. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0673 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory.
- 3. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:N/A:C), Web site last visited April 26, 2013.
- 4. CWE-388: Exception Handling, http://cwe.mitre.org/data/definitions/388.html, Web site last accessed April 26, 2013.
- 5. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0666 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory.
- 6. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P), Web site last visited April 26, 2013.