NovaTech Orion DNP3 Improper Input Validation Vulnerability

Low RiskICS-CERT ICSA-13-352-01Sep 20, 2013

Summary

NovaTech Orion DNP3 devices (OrionLX DNP Master, Orion5/Orion5r DNP Master, and DNP Slave units) contain an improper input validation vulnerability in the DNP3 protocol handling. Malformed DNP3 packets with invalid input can bypass validation checks and cause the affected device to crash, disrupting communications between the SCADA master and remote terminal units. Affected versions: OrionLX DNP Master v1.27.38 and earlier, Orion5/Orion5r DNP Master v1.27.38 and earlier, DNP Slave Firmware v7.6 and earlier (v1.23.10 and earlier).

What this means

What could happen

An attacker with network access to the DNP3 interface could send malformed packets that cause the master or slave device to crash, leading to loss of communication with remote terminal units (RTUs) and potential process outages.

Who's at risk

Water and electric utilities operating NovaTech Orion DNP3 masters or slaves for SCADA communications with remote terminal units (RTUs). This affects any facility using Orion5, Orion5r, or OrionLX hardware running the listed firmware versions for DNP protocol gateway or slave functionality.

How it could be exploited

An attacker on the network segment containing DNP3 devices sends specially crafted DNP3 protocol packets with invalid input that bypasses validation checks. The master or slave device processes the malformed packet and crashes, disrupting DNP3 communications to RTUs controlling equipment such as pumps, valves, and power distribution switches.

Prerequisites

Network access to DNP3 port (typically TCP/UDP 20000)
Line-of-sight or routable path to the DNP3 master or slave device
No authentication or special credentials required

Remotely exploitable over networkNo authentication requiredNo vendor patch available (end-of-life products)Affects critical SCADA communication channelLow complexity exploit

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

OrionLX DNP Master: <=v1.27.38≤ v1.27.38No fix (EOL)

DNP Slave Firmware <=7.6: <=V1.23.10≤ V1.23.10No fix (EOL)

Orion5/Orion5r DNP Master: <=V1.27.38≤ V1.27.38No fix (EOL)

DNP Slave: <=V1.23.10≤ V1.23.10No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDImplement firewall rules to restrict DNP3 traffic (TCP/UDP port 20000) to only authorized master/RTU pairs and exclude untrusted networks

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: OrionLX DNP Master: <=v1.27.38, DNP Slave Firmware <=7.6: <=V1.23.10, Orion5/Orion5r DNP Master: <=V1.27.38, DNP Slave: <=V1.23.10. Apply the following compensating controls:

HARDENINGSegment DNP3 devices onto a protected network separate from general IT systems and untrusted networks

HARDENINGMonitor for unexpected DNP3 connections and malformed packet activity using network monitoring tools

CVEs (2)

CVE-2013-2821 CVE-2013-2822

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1dedcc27-609e-4669-ab0f-653c65568441