C4 Security Advisory - ABB PCU400 4.4-4.6 Remote Buffer Overflow

2008.10.01
Credit: Idan Ofrat
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Background ----------------- Vendor product information: PCU400 is the modern product when implementing an effective data acquisition network in SCADA-based systems PCU400, Process Communication Unit 400 forms the communication interface to the network of remote terminal units (RTUs) together with the RCS Application Software located in the application server of a Network Manager SCADA system. The PCU400 can be used as a SCADA front-end, communication gateway for Substation Automation systems or as a standalone protocol converter. Two parts define the Data Acquisition system: * RCS Application, a software package running in the Application Server * PCU400, a front-end converter that implements the protocols and connects the physical lines PCU 400 can be used in a variety of configurations to cater for different network topologies and different levels of fault tolerance in the system. The alternatives include single or redundant PCU 400 units. Description ---------------- A buffer overflow exists in the component that handles IEC60870-5-101 and IEC60870-5-104 communication protocols. The vulnerability was exploited by C4 to verify it can be used for arbitrary code execution by an unauthorized attacker. The description of the vulnerability is intentionally limited as this software controls critical national infrastructure. Impact ---------- An attacker can compromise the server which runs PCU400, which acts as the FEP server of the ABB SCADA system. This vulnerability is another method to carry out the "field to control center" attack vector mentioned in C4's S4 2008 paper "Control System Attack Vectors and Examples: Field Site and Corporate Network", which will allow the attacker to control other RTUs connected to that FEP. In addition, an attacker can use his control over the FEP server to insert a generic electric grid malware as specified in our SysScan08 presentation, in order to cause harm to the grid. Both documents are available at http://www.c4-security.com/index-5.html . Affected Versions ------------------------- PCU400 4.4 PCU400 4.5 PCU400 4.6 Other versions may be vulnerable, as they were not tested. Workaround/Fix ----------------------- The vendor issued a hotfix to resolve this vulnerability. Additional Information ------------------------------- For additional information please contact us at info_at_c4-security.com. Note that we will respond only to verified utility personnel and governmental agencies. The CVE identifier assigned to this vulnerability by CERT is CVE-2008-2474 Credit -------- This vulnerability was discovered and exploited by Idan Ofrat of C4. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (MingW32) mQGiBEgmB8kRBACspGfU7p+Z5dQRHBCH1n6Q4hXAPJS42kw/iCHNirw9iFWt1Gmt JK1cMVtVV0U6UdEHbtUPU8Sdt3ydpFXgxocAMOYIBRsLtr5Z7bjLPqALmZJyPcqv NOpfAmbKH1peHqQ6ogcXEzu/vaGniYTqBsdrPTxQOxDsjebTNZAl20AyawCg/xUj Mc8SUTeYK50yv4Ghs69UPMkD/RJcBZbAS9GMN6NHtP0K5EjAA2sE8cTSwYH0y80Z ZgOaVl98mq4RfDVMu/fxKMXoVkQ68ge3Q8v+vSwQ+9uEQhXwPTRRilceADdclaTL lZ9azyJRM41qTpxsvoQ9oEwGdRtm1RWciYsOvFVMfTfslv1nLRJLnXMidC3Ve2mc 07/6A/4uO2DQ0W+RuZGY3PrHDpAgm1ax1BadgSjGXkQol2+SveQ49TwOVx2nn/cR F2O8KWED6fso7dAwkwUIj+qAGBU4MUorVsSep8EWkninFfUV9lD9Am/1q61nnZwO 6YhneA8M1EkELBZg03zj/b6BxiDE5O8q57hP8oWwnNU/zcCc87QnSWRhbiBPZnJh dCA8aWRhbi5vZnJhdEBjNC1zZWN1cml0eS5jb20+iGYEExECACYFAkgmB8kCGyMF CQlmAYAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRB13jw4tekyKeEiAKCY9emN NpH04iXKTy/jpSsQNbATxgCg1YTIgSEUmyKItW4OHju/8vJBHW65Ag0ESCYHyRAI AJ0PIeewKVFoqSPK4DEum3tW9kx60yzdbfLojicLZXCwrDVXLy11S6eVsSI8FcYz P70KJjnmAwRRtqaz00w2cpYSuIl4vXpoozLPjCeANdDxmsmHHi06PYKzuoFiuNeb Eu1eY43OrDIURxCf3xfx7w9lwsqXDyc7fxnShljK+IrIAZt5I7OgdRT4y88nS60q slUIllk61kxRRWeLVbmdTw/yRXjzwzJK7pdA1Ck0XYSu7oDqY2ozVvv4psHK28R9 Rj/+Z709+ODohQlvG7J1izHanE3cv77knFIduJPdvuDUiXc/AMIXqZ2e97B4aXQY /fYIDvV9x3MJcfr4GN46LwMAAwUH/icmNqNRLdv9kYuTnG4Jd/XyRiW1pISv981Q 4UgMSvjrMS8VcfdxwHU/GsPvIEBE+QawmOuNwP+f5oKqLAYyVGIIxjxb2PxwqS7G v3poAVrf2ByeTngAvCl8o0jp9dKyZRGPO/xcilb0mT4vSO3FjXpMiMnXor5yhdqR vW25FM7Txb46DomJSNaMiKE72yb61AA9zT4zeL31VjQqgZ2ETZGXR79YDlt/vK2w W5Y6GbWuBAIOYJZdkRDK2ig3AW4kaBlOOSuQgF6jM15hKfPoHfjPFHyhdN4PM7JL Q0WCVjLO4PVOdkB3ZvgGrq5IJpSuJiWQNiYXp3Cv2E1BLAcZuk6ITwQYEQIADwUC SCYHyQIbDAUJCWYBgAAKCRB13jw4tekyKR4XAKDDTMJFIFjMU5BFaOhN6jCQBez+ dgCfbfCrb/AWezgWySRL+cGusYBKASQ= =9wNq -----END PGP PUBLIC KEY BLOCK-----

References:

http://www.kb.cert.org/vuls/id/343971
http://www.securityfocus.com/bid/31391
http://www.securityfocus.com/archive/1/archive/1/496739/100/0/threaded
http://www.kb.cert.org/vuls/id/CTAR-7JTNRX


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top