Bug: C4 Security Advisory - ABB PCU400 4.4-4.6 Remote Buffer Overflow ( Ascii Version )

Search:
WLB2

C4 Security Advisory - ABB PCU400 4.4-4.6 Remote Buffer Overflow

Published
Credit
Risk
2008.10.01
Idan Ofrat
High
CWE
CVE
Local
Remote
CWE-119
CVE-2008-2474
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

Background
-----------------
Vendor product information:

PCU400 is the modern product when implementing an effective data acquisition network in SCADA-based systems

PCU400, Process Communication Unit 400 forms the communication interface to the network of remote terminal units (RTUs)
together with the RCS Application Software located in the application server of a Network Manager SCADA system.
The PCU400 can be used as a SCADA front-end, communication gateway for Substation Automation systems or as a standalone
protocol converter.
Two parts define the Data Acquisition system:
* RCS Application, a software package running in the Application Server
* PCU400, a front-end converter that implements the protocols and connects the physical lines

PCU 400 can be used in a variety of configurations to cater for different network topologies and different levels of
fault tolerance in the system. The alternatives include single or redundant PCU 400 units.

Description
----------------
A buffer overflow exists in the component that handles IEC60870-5-101 and IEC60870-5-104 communication protocols.
The vulnerability was exploited by C4 to verify it can be used for arbitrary code execution by an unauthorized
attacker.
The description of the vulnerability is intentionally limited as this software controls critical national
infrastructure.

Impact
----------
An attacker can compromise the server which runs PCU400, which acts as the FEP server of the ABB SCADA system.
This vulnerability is another method to carry out the "field to control center" attack vector mentioned in
C4's S4 2008 paper "Control System Attack Vectors and Examples: Field Site and Corporate Network", which will
allow the attacker to control other RTUs connected to that FEP.

In addition, an attacker can use his control over the FEP server to insert a generic electric grid malware as specified
in our SysScan08 presentation, in order to cause harm to the grid.

Both documents are available at http://www.c4-security.com/index-5.html .

Affected Versions
-------------------------
PCU400 4.4
PCU400 4.5
PCU400 4.6
Other versions may be vulnerable, as they were not tested.

Workaround/Fix
-----------------------
The vendor issued a hotfix to resolve this vulnerability.

Additional Information
-------------------------------
For additional information please contact us at info_at_c4-security.com.
Note that we will respond only to verified utility personnel and governmental agencies.
The CVE identifier assigned to this vulnerability by CERT is CVE-2008-2474

Credit
--------
This vulnerability was discovered and exploited by Idan Ofrat of C4.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (MingW32)

mQGiBEgmB8kRBACspGfU7p+Z5dQRHBCH1n6Q4hXAPJS42kw/iCHNirw9iFWt1Gmt
JK1cMVtVV0U6UdEHbtUPU8Sdt3ydpFXgxocAMOYIBRsLtr5Z7bjLPqALmZJyPcqv
NOpfAmbKH1peHqQ6ogcXEzu/vaGniYTqBsdrPTxQOxDsjebTNZAl20AyawCg/xUj
Mc8SUTeYK50yv4Ghs69UPMkD/RJcBZbAS9GMN6NHtP0K5EjAA2sE8cTSwYH0y80Z
ZgOaVl98mq4RfDVMu/fxKMXoVkQ68ge3Q8v+vSwQ+9uEQhXwPTRRilceADdclaTL
lZ9azyJRM41qTpxsvoQ9oEwGdRtm1RWciYsOvFVMfTfslv1nLRJLnXMidC3Ve2mc
07/6A/4uO2DQ0W+RuZGY3PrHDpAgm1ax1BadgSjGXkQol2+SveQ49TwOVx2nn/cR
F2O8KWED6fso7dAwkwUIj+qAGBU4MUorVsSep8EWkninFfUV9lD9Am/1q61nnZwO
6YhneA8M1EkELBZg03zj/b6BxiDE5O8q57hP8oWwnNU/zcCc87QnSWRhbiBPZnJh
dCA8aWRhbi5vZnJhdEBjNC1zZWN1cml0eS5jb20+iGYEExECACYFAkgmB8kCGyMF
CQlmAYAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRB13jw4tekyKeEiAKCY9emN
NpH04iXKTy/jpSsQNbATxgCg1YTIgSEUmyKItW4OHju/8vJBHW65Ag0ESCYHyRAI
AJ0PIeewKVFoqSPK4DEum3tW9kx60yzdbfLojicLZXCwrDVXLy11S6eVsSI8FcYz
P70KJjnmAwRRtqaz00w2cpYSuIl4vXpoozLPjCeANdDxmsmHHi06PYKzuoFiuNeb
Eu1eY43OrDIURxCf3xfx7w9lwsqXDyc7fxnShljK+IrIAZt5I7OgdRT4y88nS60q
slUIllk61kxRRWeLVbmdTw/yRXjzwzJK7pdA1Ck0XYSu7oDqY2ozVvv4psHK28R9
Rj/+Z709+ODohQlvG7J1izHanE3cv77knFIduJPdvuDUiXc/AMIXqZ2e97B4aXQY
/fYIDvV9x3MJcfr4GN46LwMAAwUH/icmNqNRLdv9kYuTnG4Jd/XyRiW1pISv981Q
4UgMSvjrMS8VcfdxwHU/GsPvIEBE+QawmOuNwP+f5oKqLAYyVGIIxjxb2PxwqS7G
v3poAVrf2ByeTngAvCl8o0jp9dKyZRGPO/xcilb0mT4vSO3FjXpMiMnXor5yhdqR
vW25FM7Txb46DomJSNaMiKE72yb61AA9zT4zeL31VjQqgZ2ETZGXR79YDlt/vK2w
W5Y6GbWuBAIOYJZdkRDK2ig3AW4kaBlOOSuQgF6jM15hKfPoHfjPFHyhdN4PM7JL
Q0WCVjLO4PVOdkB3ZvgGrq5IJpSuJiWQNiYXp3Cv2E1BLAcZuk6ITwQYEQIADwUC
SCYHyQIbDAUJCWYBgAAKCRB13jw4tekyKR4XAKDDTMJFIFjMU5BFaOhN6jCQBez+
dgCfbfCrb/AWezgWySRL+cGusYBKASQ=
=9wNq
-----END PGP PUBLIC KEY BLOCK-----

References:

http://www.kb.cert.org/vuls/id/343971
http://www.securityfocus.com/bid/31391
http://www.securityfocus.com/archive/1/archive/1/496739/100/0/threaded
http://www.kb.cert.org/vuls/id/CTAR-7JTNRX

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version