Elipse SCADA DNP3 Denial of Service
Low RiskICS-CERT ICSA-14-303-02Aug 2, 2014
Summary
A denial of service vulnerability exists in the Elipse SCADA DNP3 driver and related products (Elipse E3, Elipse Power systems, DNP 3.0 Master). The flaw allows a remote attacker to send a specially crafted DNP3 protocol message that is not properly validated by the application, causing an unhandled exception and crash. This results in loss of communication between the SCADA master and downstream RTUs/PLCs, disrupting real-time monitoring and control operations. The vulnerability affects all versions of Elipse SCADA with DNP3 driver up to 2.29_build_141, Elipse E3 versions 1.0 through 4.5, Elipse Power systems versions 1.0 through 4.5, and DNP 3.0 Master up to version 3.02. No patch has been made available by the vendor.
What this means
What could happen
A remote attacker can send a specially crafted DNP3 message to crash the Elipse SCADA application or DNP3 Master, interrupting communication with downstream RTUs and PLCs and stopping real-time monitoring and control of energy infrastructure.
Who's at risk
Energy sector operators using Elipse SCADA, E3, or Power systems products with DNP3 driver functionality for monitoring and controlling generation, transmission, and distribution equipment should be concerned. This affects SCADA master stations that communicate with remote terminal units (RTUs) and programmable logic controllers (PLCs) in power plants, substations, and control centers.
How it could be exploited
An attacker with network access to the DNP3 port (typically 20000) sends a malformed DNP3 protocol message. The application does not properly validate the message structure, causing an unhandled exception that crashes the SCADA software, severing the connection to remote devices.
Prerequisites
- Network access to DNP3 port (typically TCP/UDP 20000)
- Elipse SCADA application or DNP3 Master running on the target host
- DNP3 driver enabled
remotely exploitablelow complexityno patch availableaffects critical SCADA infrastructure
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
Elipse SCADA w/ DNP3 driver: <=2.29_build_141≤ 2.29 build 141No fix (EOL)
Elipse E3: >=V1.0|<V4.6≥ V1.0|<V4.6No fix (EOL)
DNP 3.0 Master: <=v3.02≤ v3.02No fix (EOL)
Elipse Power systems: >=V1.0|<V4.6≥ V1.0|<V4.6No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDRestrict network access to DNP3 ports (typically 20000) using firewall rules. Only permit DNP3 communications from trusted RTUs and master stations.
WORKAROUNDEstablish manual monitoring and failover procedures in case the SCADA application crashes unexpectedly.
Long-term hardening
0/1HOTFIXEvaluate upgrade path to current Elipse E3 or Power systems versions if available from your vendor, though no fix status is currently documented.
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Elipse SCADA w/ DNP3 driver: <=2.29_build_141, Elipse E3: >=V1.0|<V4.6, DNP 3.0 Master: <=v3.02, Elipse Power systems: >=V1.0|<V4.6. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate SCADA systems from untrusted networks. Use air-gapped networks or DMZs with strict access controls.
HARDENINGMonitor DNP3 traffic for malformed messages using IDS/IPS rules. Set up alerts for unexpected connection terminations from SCADA applications.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f38cfb9e-5b57-480f-8054-95f71243a182