Sixnet Universal Protocol Undocumented Function Codes (Update B)
Low RiskICS-CERT ICSA-13-231-01BMay 22, 2013
Summary
Sixnet UDR and RTU devices contain undocumented Modbus function codes that can be invoked by sending specially crafted network messages. These undocumented functions allow execution of unintended commands on the controller without proper authorization checks. Affected versions: Sixnet UDR firmware prior to version 2.0 and Sixnet RTU firmware prior to version 4.8. No patches are available from the vendor for these legacy products.
What this means
What could happen
An attacker with network access to a Sixnet RTU or UDR device could send undocumented function codes to execute unintended commands on the controller, potentially allowing them to alter process parameters, disable safety functions, or interrupt operations.
Who's at risk
Water utilities, electric utilities, and other critical infrastructure operators using Sixnet RTU or UDR controllers for SCADA and remote monitoring. Affects sites that rely on these devices for process control, telemetry, or pump/valve automation.
How it could be exploited
An attacker sends crafted Modbus or industrial protocol messages containing undocumented function codes to the RTU or UDR device over the network. The device processes these codes without proper validation, allowing arbitrary command execution or state manipulation of the controller.
Prerequisites
- Network access to the Sixnet RTU or UDR device on port 502 (Modbus TCP) or other operational network ports
- No authentication credentials required to send function codes
Remotely exploitable over networkNo authentication requiredNo patch available (end-of-life products)Could affect safety-critical operations
Exploitability
Moderate exploit probability (EPSS 4.1%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
Sixnet UDR: <2.0<2.0No fix (EOL)
Sixnet RTU firmware: <4.8<4.8No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGImplement network segmentation to restrict access to Sixnet RTU and UDR devices; only allow authorized engineering workstations and SCADA servers to communicate with these devices
WORKAROUNDDeploy firewall rules to block inbound connections to Sixnet devices from untrusted networks; whitelist only known, necessary sources
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGMonitor network traffic to and from Sixnet RTU and UDR devices for suspicious or unexpected Modbus function codes
WORKAROUNDIf possible, disable undocumented function codes or limit RTU/UDR operation to documented, essential Modbus functions only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/96c10bbc-65c8-43c3-862d-c921e28a8b96