Three SCADA Vulnerabilities Disclosed

As part of research projects, product assessments, and vulnerability analysis done for our VulnDB service, Risk Based Security occasionally discovers new vulnerabilities.

Recently, our Chief Research Officer, Carsten Eiram published our first three vulnerability reports. All cover vulnerabilities in high-profile SCADA products from two major vendors: Rockwell Automation and Schneider Electric. The vulnerability coordination was handled with the respective vendors and the ICS-CERT team.

The first two vulnerability reports detail remote DoS (Denial of Service) vulnerabilities in the FactoryTalk Services Platform and RSLinx Enterprise products from Rockwell Automation. Exploitation of the vulnerabilities allows an unauthenticated remote attacker to cause a vulnerable service to either silently stop accepting new requests or completely crash, thereby preventing legitimate requests to these services.

In the case of RSLinx Enterprise, the Network Event Log Service component will no longer receive logging information from other systems and devices on the network. For FactoryTalk Services Platform, any service relying on the RNADiagnostics module (e.g. the Diagnostics CE Receiver service when processing messages from Windows CE devices) may crash. Fixes have been released by Rockwell Automation to address these vulnerabilities

The third vulnerability report details a critical remote code execution vulnerability in the Modbus Serial Driver bundled with 11 currently supported products by Schneider Electric. Any unauthenticated, remote attacker capable of connecting to the port on a system where the Modbus Serial Driver is listening can cause a stack-based buffer overflow. If an attacker successfully compromises the system where the Modbus Serial Driver is running, the attacker can in turn target any PLC connected to the system.

While RBS worked closely together with both ICS-CERT and Schneider Electric, users of these products should be aware that the vulnerability is currently unpatched, but a fix is scheduled by Schneider Electric. In the meantime, users should look into workarounds or contact the vendor for information on the availability of temporary fixes.