Schneider Electric Invensys Positioner Buffer Overflow Vulnerability
Low RiskICS-CERT ICSA-15-055-03Nov 27, 2015
Summary
A stack-based buffer overflow vulnerability exists in the DTM (Device Type Manager) software used to configure Schneider Electric SRD 960 and SRD 991 Control Valve Positioners. The vulnerability is in DTM version 3.1.6 and earlier. The affected positioners are intelligent valve controllers used in process automation for controlling fluid flow in industrial applications. No vendor patch is currently available for this vulnerability.
What this means
What could happen
A buffer overflow in the DTM (Device Type Manager) software could allow an attacker to crash the positioner configuration tool or execute arbitrary code with the privileges of the user running DTM, potentially disrupting control valve commissioning and tuning operations.
Who's at risk
Energy sector organizations using Schneider Electric SRD 960 or SRD 991 control valve positioners should care. This affects engineering and commissioning staff who use the DTM tool to configure and tune these positioners, which are common in steam systems, process water, and fuel gas control loops in power plants and refineries.
How it could be exploited
An attacker with access to the engineering workstation running DTM could trigger the buffer overflow by sending a malformed input or file to the DTM application when communicating with SRD 960 or SRD 991 positioners. This would require local or network access to the workstation where DTM is installed.
Prerequisites
- Access to the engineering workstation running DTM software
- DTM version 3.1.6 or earlier installed
- User interaction or network communication with the affected DTM version
no patch availablebuffer overflow vulnerabilityaffects commissioning/maintenance operations
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
DTM used with SRD 960 Control Valve Positioners: <=3.1.6≤ 3.1.6No fix (EOL)
DTM used with SRD 991 Control Valve Positioners: <=3.1.6≤ 3.1.6No fix (EOL)
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGRestrict user privileges on the engineering workstation; run DTM under a limited user account rather than administrative credentials to reduce the impact of code execution
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: DTM used with SRD 960 Control Valve Positioners: <=3.1.6, DTM used with SRD 991 Control Valve Positioners: <=3.1.6. Apply the following compensating controls:
HARDENINGImplement network access controls to restrict who can reach the engineering workstation running DTM; use firewalls or network segmentation to limit access to authorized personnel and devices only
HARDENINGKeep the engineering workstation isolated from production control networks and the internet; do not run DTM on computers with direct access to operational equipment networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/bfedcceb-026e-4254-9112-332f2b277bd5