Elipse SCADA DNP3 Denial of Service

Low RiskICS-CERT ICSA-14-303-02Aug 2, 2014

Energy

Summary

A denial of service vulnerability exists in the Elipse SCADA DNP3 driver and related products (Elipse E3, Elipse Power systems, DNP 3.0 Master). The flaw allows a remote attacker to send a specially crafted DNP3 protocol message that is not properly validated by the application, causing an unhandled exception and crash. This results in loss of communication between the SCADA master and downstream RTUs/PLCs, disrupting real-time monitoring and control operations. The vulnerability affects all versions of Elipse SCADA with DNP3 driver up to 2.29_build_141, Elipse E3 versions 1.0 through 4.5, Elipse Power systems versions 1.0 through 4.5, and DNP 3.0 Master up to version 3.02. No patch has been made available by the vendor.

What this means

What could happen

A remote attacker can send a specially crafted DNP3 message to crash the Elipse SCADA application or DNP3 Master, interrupting communication with downstream RTUs and PLCs and stopping real-time monitoring and control of energy infrastructure.

Who's at risk

Energy sector operators using Elipse SCADA, E3, or Power systems products with DNP3 driver functionality for monitoring and controlling generation, transmission, and distribution equipment should be concerned. This affects SCADA master stations that communicate with remote terminal units (RTUs) and programmable logic controllers (PLCs) in power plants, substations, and control centers.

How it could be exploited

An attacker with network access to the DNP3 port (typically 20000) sends a malformed DNP3 protocol message. The application does not properly validate the message structure, causing an unhandled exception that crashes the SCADA software, severing the connection to remote devices.

Prerequisites

Network access to DNP3 port (typically TCP/UDP 20000)
Elipse SCADA application or DNP3 Master running on the target host
DNP3 driver enabled

remotely exploitablelow complexityno patch availableaffects critical SCADA infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

Elipse SCADA w/ DNP3 driver: <=2.29_build_141≤ 2.29 build 141No fix (EOL)

Elipse E3: >=V1.0|<V4.6≥ V1.0|<V4.6No fix (EOL)

DNP 3.0 Master: <=v3.02≤ v3.02No fix (EOL)

Elipse Power systems: >=V1.0|<V4.6≥ V1.0|<V4.6No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to DNP3 ports (typically 20000) using firewall rules. Only permit DNP3 communications from trusted RTUs and master stations.

WORKAROUNDEstablish manual monitoring and failover procedures in case the SCADA application crashes unexpectedly.

Long-term hardening

0/1

HOTFIXEvaluate upgrade path to current Elipse E3 or Power systems versions if available from your vendor, though no fix status is currently documented.

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Elipse SCADA w/ DNP3 driver: <=2.29_build_141, Elipse E3: >=V1.0|<V4.6, DNP 3.0 Master: <=v3.02, Elipse Power systems: >=V1.0|<V4.6. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate SCADA systems from untrusted networks. Use air-gapped networks or DMZs with strict access controls.

HARDENINGMonitor DNP3 traffic for malformed messages using IDS/IPS rules. Set up alerts for unexpected connection terminations from SCADA applications.

CVEs (1)

CVE-2014-5429

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f38cfb9e-5b57-480f-8054-95f71243a182

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.