Schneider Electric ClearSCADA Uncontrolled Resource Consumption Vulnerability
ICSA： ICS Advisory (ICSA-14-014-01)
Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an uncontrolled resource consumption vulnerability in the Schneider Electric SCADA Expert ClearSCADA software. Schneider Electric has produced a new version that mitigates this vulnerability. Adam Crain has tested the new version to validate that it resolves the vulnerability.
This vulnerability could be exploited remotely.
The following Schneider Electric versions are affected:
- ClearSCADA 2010 R2 (Build 71.4165),
- ClearSCADA 2010 R2.1 (Build 71.4325),
- ClearSCADA 2010 R3 (Build 72.4560),
- ClearSCADA 2010 R3.1 (Build 72.4644),
- SCADA Expert ClearSCADA 2013 R1 (Build 73.4729),
- SCADA Expert ClearSCADA 2013 R1.1 (Build 73.4832),
- SCADA Expert ClearSCADA 2013 R1.1a (Build 73.4903), and
- SCADA Expert ClearSCADA 2013 R1.2 (Build 73.4955).
Successful exploitation of this vulnerability may cause a denial of service (DoS) of the DNP3 process. Specially crafted, unsolicited frames may cause excessive event logging. This condition may slow driver operation and may lead to a DoS.
Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Schneider Electric is a France-based company that maintains offices in 190 countries worldwide.
According to Schneider Electric, ClearSCADA is deployed across several sectors including energy and water and wastewater systems.
UNCONTROLLED RESOURCE CONSUMPTIONa
Specially crafted IP frames may cause DNP3Driver.exe to hang. If the DNP3 driver was flooded with frames containing multiple errors, an excessive number of event journal messages could be logged, resulting in a starvation of resources, leading to a DoS attack. This condition cannot cause data corruption, crash the driver, or allow execution of arbitrary code but will affect operational response.
This vulnerability could be exploitable remotely.
EXISTENCE OF EXPLOIT
No known public exploits specifically target this vulnerability.
An attacker with a medium skill would be able to exploit this vulnerability.
Schneider Electric has fixed this issue in the latest released software version of SCADA Expert ClearSCADA 2013 R2.
ClearSCADA users should contact the local Schneider Electric office to obtain the latest software version for ClearSCADA; alternatively this new version is available for direct download from the Schneider Electric Web site. To upgrade, customers are required to complete and submit an online form available here:
General instructions on how to upgrade the ClearSCADA license are available here:
Detailed instructions on how to upgrade a ClearSCADA installation are available here:
Schneider Electric advises all ClearSCADA users to take steps to secure the interfaces to the ClearSCADA system. The following guidelines should be taken as a starting point only in establishing an appropriate level of system security:
- Monitor DNP3 traffic and system Event Journal to detect excessive amounts of traffic/logging that may be representative of a fuzzing attack.
- Upgrade the ClearSCADA server to SCADA Expert ClearSCADA 2013 R2 or newer, or Service Packs released later than November 2013.
Schneider Electric has also published security notification SEVD-2013-339-01.
The researchers suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an intrusion prevention system or firewall with DNP3-specific rule sets to add an additional layer of protection.
NCCIC/ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
NCCIC/ICS-CERT also provides a section for control systems security recommended practices on the NCCIC/ICS-CERT Web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. NCCIC/ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the NCCIC/ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B—Targeted Cyber Intrusion Mitigation Strategies, that is available for download from the NCCIC/ICS-CERT Web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC/ICS-CERT for tracking and correlation against other incidents.
- a. CWE-400: Uncontrolled Resource Consumption, http://cwe.mitre.org/data/definitions/400.html, Web site last accessed January 14, 2014.
- b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6142, NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory.
- c. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P, Web site last accessed January 14, 2014.