GE Proficy HMI/SCADA DNP3 Driver Input Validation
Low RiskICS-CERT ICSA-14-287-01Jul 17, 2014
Summary
GE Proficy HMI/SCADA DNP3 I/O Driver contains an input validation vulnerability in the DNP3 protocol parser. The vulnerability affects iFix (all versions), CIMPLICITY (v8.2 and v9.0), and the standalone DNP3 I/O Driver (v7.20k and earlier). The flaw allows improper processing of crafted DNP3 messages that fail input validation checks.
What this means
What could happen
An attacker with network access to a SCADA system running the vulnerable DNP3 driver could send specially crafted DNP3 messages to bypass input validation, potentially causing the HMI/SCADA application to crash or behave unpredictably, disrupting monitoring and control of critical infrastructure.
Who's at risk
Energy utilities and manufacturing facilities using GE Proficy HMI/SCADA systems for SCADA monitoring and control, particularly those with DNP3 communication to field devices (RTUs, outstations). Affects iFix and CIMPLICITY server installations with the DNP3 I/O Driver enabled.
How it could be exploited
An attacker on the network segment with the Proficy HMI/SCADA server (or connected via routed network) sends a malformed DNP3 protocol message to the listening DNP3 driver port. The driver fails to properly validate the message format, triggering an unhandled error or memory corruption condition that could crash the application or allow code execution.
Prerequisites
- Network access to the DNP3 I/O Driver listening port (typically UDP/TCP 20000 or configured DNP3 port)
- Proficy HMI/SCADA or iFix server with the DNP3 driver running and accepting external DNP3 connections
- No authentication required to send DNP3 messages
remotely exploitableno authentication requiredlow complexityno patch availableaffects critical infrastructure control systemsinput validation bypass
Exploitability
Moderate exploit probability (EPSS 1.3%)
Affected products (8)
6 pending2 EOL
ProductAffected VersionsFix Status
Catapult: v7.20.62v7.20.62No fix yet
CIMPLICITY: <=8.2_:_Catapult:_v8.2.62≤ 8.2 : Catapult: v8.2.62No fix yet
CIMPLICITY: 9.09.0No fix yet
Catapult: v9.0.62v9.0.62No fix yet
Proficy HMI/SCADA DNP3 I/O Driver (DNP): v7.20kv7.20kNo fix yet
Catapult: <=v7.20.60≤ v7.20.60No fix yet
iFix: vers:all/*All versionsNo fix (EOL)
Proficy HMI/SCADA – iFIX or CIMPLICITY servers with the vulnerable I/O Driver installed (this includes iFIX or CIMPLICITY installations that are part of Proficy Process Systems: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2Proficy HMI/SCADA DNP3 I/O Driver (DNP): v7.20k
WORKAROUNDRestrict network access to DNP3 driver listening ports using firewall rules; only allow connections from known, trusted RTU/outstation IP addresses
WORKAROUNDDisable the DNP3 I/O Driver if DNP3 communication is not required for operations
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: iFix: vers:all/*, Proficy HMI/SCADA – iFIX or CIMPLICITY servers with the vulnerable I/O Driver installed (this includes iFIX or CIMPLICITY installations that are part of Proficy Process Systems: vers:all/*. Apply the following compensating controls:
HARDENINGSegment the SCADA network so that HMI/SCADA servers are on a separate VLAN from external or untrusted network segments
HARDENINGMonitor DNP3 traffic for malformed messages and configure alerting on connection errors from the DNP3 driver
HARDENINGEvaluate migration to a newer HMI/SCADA platform with active vendor support and security updates
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f7d86660-9b2c-414c-bc74-506840c71b87