14 DAY TRIAL // C4 Security has released an advisory describing a buffer overflow vulnerability in the ABB PCU400 software that is used as a communication interface between SCADA (Supervisory Control And Data Acquisition) servers and remote terminal units on the network. This specific product is known to be used for controlling critical infrastructures like the national electric grid. The successful exploitation of this vulnerability can result in remote arbitrary code execution or denial of service.
The ABB Group is one of the global leaders in providing power and automation technologies and operates in over 100 countries. The PCU400 product line is used as a network communications front-end converter that implements several protocols and connects the physical lines as part of a SCADA system. “PCU 400 can be used in a variety of configurations to cater for different network topologies and different levels of fault tolerance in the system,” notes the C4 advisory.
The vulnerability resides specifically in the X87 interface that handles IEC60870-5-101/104 protocols communication. An attacker can exploit this vulnerability by sending a maliciously crafted package on TCP port 8087. According to the advisory, successful exploitation will give the attacker control over the remote terminal units (RTUs) connected to PCU400 server. It is also noted that the attacker could use these unauthorized privileges in order to insert a “generic electric grid malware” in order to inflict damage to the grid.
C4 security researcher Idan Ofrat is credited with discovery of this vulnerability and proof of concept exploit code demonstrating its impact, has been provided to ABB. However, it was not included in the publicly released advisory due to the obvious critical nature of the affected equipment. The vendor has released a patch to address this issue and also noted that the X87 executable is obsolete and that customers should upgrade to the X88 or X89 versions. In addition, they pointed out that the 8087 should generally be blocked from external access through firewall rules. The C4 advisory claims that this vulnerability has been confirmed on the PCU400 4.4, 4.5 and 4.6 versions, but that releases not tested might also be affected. Entities using these products are advised to contact the manufacturer immediately in order to obtain the patch.
C4 Security, a company that focuses on the security of SCADA systems, also disclosed a vulnerability in the GE Fanuc CIMPLICITY SCADA software earlier this year. Given the consequences of compromising such critical systems, like terrorist attacks, industrial espionage or sabotage, it’s vitally important that the developers of such software treat the security aspects very seriously. We wrote not so long ago about the discovery of a vulnerability in the CitectSCADA software used by many gas/oil refineries or other industrial facilities.