Background
-----------------
Vendor product information:
PCU400 is the modern product when implementing an effective data acquisition network in SCADA-based systems
PCU400, Process Communication Unit 400 forms the communication interface to the network of remote terminal units (RTUs) together with the RCS Application Software located in the application server of a Network Manager SCADA system.
The PCU400 can be used as a SCADA front-end, communication gateway for Substation Automation systems or as a standalone protocol converter.
Two parts define the Data Acquisition system:
* RCS Application, a software package running in the Application Server
* PCU400, a front-end converter that implements the protocols and connects the physical lines
PCU 400 can be used in a variety of configurations to cater for different network topologies and different levels of fault tolerance in the system. The alternatives include single or redundant PCU 400 units.
Description
----------------
A buffer overflow exists in the component that handles IEC60870-5-101 and IEC60870-5-104 communication protocols.
The vulnerability was exploited by C4 to verify it can be used for arbitrary code execution by an unauthorized attacker.
The description of the vulnerability is intentionally limited as this software controls critical national infrastructure.
Impact
----------
An attacker can compromise the server which runs PCU400, which acts as the FEP server of the ABB SCADA system.
This vulnerability is another method to carry out the "field to control center" attack vector mentioned in C4's S4 2008 paper "Control System Attack Vectors and Examples: Field Site and Corporate Network", which will allow the attacker to control other RTUs connected to that FEP.
In addition, an attacker can use his control over the FEP server to insert a generic electric grid malware as specified in our SysScan08 presentation, in order to cause harm to the grid.
Both documents are available at http://www.c4-security.com/index-5.html .
Affected Versions
-------------------------
PCU400 4.4
PCU400 4.5
PCU400 4.6
Other versions may be vulnerable, as they were not tested.
Workaround/Fix
-----------------------
The vendor issued a hotfix to resolve this vulnerability.
Additional Information
-------------------------------
For additional information please contact us at info_at_c4-security.com.
Note that we will respond only to verified utility personnel and governmental agencies.
The CVE identifier assigned to this vulnerability by CERT is CVE-2008-2474
Credit
--------
This vulnerability was discovered and exploited by Idan Ofrat of C4.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (MingW32)
mQGiBEgmB8kRBACspGfU7p+Z5dQRHBCH1n6Q4hXAPJS42kw/iCHNirw9iFWt1Gmt
JK1cMVtVV0U6UdEHbtUPU8Sdt3ydpFXgxocAMOYIBRsLtr5Z7bjLPqALmZJyPcqv
NOpfAmbKH1peHqQ6ogcXEzu/vaGniYTqBsdrPTxQOxDsjebTNZAl20AyawCg/xUj
Mc8SUTeYK50yv4Ghs69UPMkD/RJcBZbAS9GMN6NHtP0K5EjAA2sE8cTSwYH0y80Z
ZgOaVl98mq4RfDVMu/fxKMXoVkQ68ge3Q8v+vSwQ+9uEQhXwPTRRilceADdclaTL
lZ9azyJRM41qTpxsvoQ9oEwGdRtm1RWciYsOvFVMfTfslv1nLRJLnXMidC3Ve2mc
07/6A/4uO2DQ0W+RuZGY3PrHDpAgm1ax1BadgSjGXkQol2+SveQ49TwOVx2nn/cR
F2O8KWED6fso7dAwkwUIj+qAGBU4MUorVsSep8EWkninFfUV9lD9Am/1q61nnZwO
6YhneA8M1EkELBZg03zj/b6BxiDE5O8q57hP8oWwnNU/zcCc87QnSWRhbiBPZnJh
dCA8aWRhbi5vZnJhdEBjNC1zZWN1cml0eS5jb20+iGYEExECACYFAkgmB8kCGyMF
CQlmAYAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRB13jw4tekyKeEiAKCY9emN
NpH04iXKTy/jpSsQNbATxgCg1YTIgSEUmyKItW4OHju/8vJBHW65Ag0ESCYHyRAI
AJ0PIeewKVFoqSPK4DEum3tW9kx60yzdbfLojicLZXCwrDVXLy11S6eVsSI8FcYz
P70KJjnmAwRRtqaz00w2cpYSuIl4vXpoozLPjCeANdDxmsmHHi06PYKzuoFiuNeb
Eu1eY43OrDIURxCf3xfx7w9lwsqXDyc7fxnShljK+IrIAZt5I7OgdRT4y88nS60q
slUIllk61kxRRWeLVbmdTw/yRXjzwzJK7pdA1Ck0XYSu7oDqY2ozVvv4psHK28R9
Rj/+Z709+ODohQlvG7J1izHanE3cv77knFIduJPdvuDUiXc/AMIXqZ2e97B4aXQY
/fYIDvV9x3MJcfr4GN46LwMAAwUH/icmNqNRLdv9kYuTnG4Jd/XyRiW1pISv981Q
4UgMSvjrMS8VcfdxwHU/GsPvIEBE+QawmOuNwP+f5oKqLAYyVGIIxjxb2PxwqS7G
v3poAVrf2ByeTngAvCl8o0jp9dKyZRGPO/xcilb0mT4vSO3FjXpMiMnXor5yhdqR
vW25FM7Txb46DomJSNaMiKE72yb61AA9zT4zeL31VjQqgZ2ETZGXR79YDlt/vK2w
W5Y6GbWuBAIOYJZdkRDK2ig3AW4kaBlOOSuQgF6jM15hKfPoHfjPFHyhdN4PM7JL
Q0WCVjLO4PVOdkB3ZvgGrq5IJpSuJiWQNiYXp3Cv2E1BLAcZuk6ITwQYEQIADwUC
SCYHyQIbDAUJCWYBgAAKCRB13jw4tekyKR4XAKDDTMJFIFjMU5BFaOhN6jCQBez+
dgCfbfCrb/AWezgWySRL+cGusYBKASQ=
=9wNq
-----END PGP PUBLIC KEY BLOCK-----