Recent News

ICS-CERT advisory for DNP3

by Joe Stevens | Dec 17, 2013

Triangle MicroWorks received an advisory from ICS-CERT which could affect customers using our DNP3 Outstation Source Code Library.  The advisory describes a vulnerability in the DNP3 Outstation Source Code Library which will allow a maliciously malformed message sent from within the security perimeter to lock up the execution of the library code.  The complete advisory from ICS-CERT can be found here.  A similar vulnerability was discovered shortly after, which could affect customers using our DNP3 Master Source Code Library.

In order to address these vulnerabilities, Triangle MicroWorks has released v3.16.01 of the DNP3 Master and Outstation Source Code Libraries.  This version of the DNP3 Source Code Libraries provides increased levels of protection against malicious and malformed messages.  

These vulnerabilities were found by a pair of researchers using a technique often referred to as “fuzz testing.”  Fuzz testing is a method of testing software that sends invalid, unexpected, or even random data to the device under test to see how it reacts. Fuzz testing is a useful process for finding software bugs, especially ones related to buffer overflows, boundary issues, etc. 

Triangle MicroWorks takes the issue of security very seriously, and has initiated a two-pronged approach to address these types of issues:

  1. We analyze our code for potential vulnerabilities

  2. In addition to our conformance and regression testing, we perform extensive fuzzing tests to strengthen our input verification.

The input validation failures identified by fuzz testing can only be exploited by a hacker when the security perimeter for the SCADA Network has been breached.  The impact of exploiting these input validation failures (typically denial of service) should be considered in the context of the other actions available to a hacker when the security perimeter for the SCADA Network has been breached (sending a command to control field equipment, spoofing bad data causing the master to take inappropriate actions, flooding the network to cause denial of service, etc.).

When an investment is made to improve security of the SCADA Network, the first priority is to ensure an adequate security perimeter is in place (firewalls, physical security, configuration of intelligent switches/routers, etc.).  Once this is complete, consideration should be given to limiting the damage that can be done should a hacker breach the security perimeter for the SCADA Network.  For example, disable communication protocol commands in the device that are not used by the master so they are not available to a hacker.

The ICS-CERT advisory affects our DNP3 Source Code Libraries v3.06 through v3.15, and any products made with these libraries (including the SCADA Data Gateway, Communication Protocol Test Harness, DNP3 .NET Protocol components, and DNP3 ANSI C source code libraries).  The latest releases of these products have the updated DNP3 source code which fixes the problem specifically described in the ICS-CERT advisory mentioned above.   This release also provides additional enhancements based on our code analysis and additional testing.

Triangle MicroWorks appreciates the feedback we have received from our customers regarding this advisory and our solution.  We understand why reliability and security are top priorities for our customers.  That is why our goal remains to resolve customer issues (especially those related to security) with reliable and timely solutions.

© 2013 Triangle MicroWorks, Inc. All rights reserved.