Triangle MicroWorks DNP3 Outstation Libraries

Plan Patch7.5ICS-CERT ICSA-20-105-02Apr 14, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A buffer overflow vulnerability exists in Triangle MicroWorks DNP3 Outstation Libraries versions 3.16.00 through 3.25.01. A remote attacker without credentials can send a malicious DNP3 protocol message that causes the library to crash, denying service to SCADA master stations and disrupting communication with field devices like RTUs and IEDs. The vulnerability requires no special user interaction and can be triggered over the network from any system that can reach the DNP3 port.

What this means

What could happen

An attacker could cause a denial of service by crashing the DNP3 Outstation Libraries, stopping communication and control functions between the master station and field devices like RTUs and IEDs in your utility network.

Who's at risk

Water utilities and electric utilities that use Triangle MicroWorks DNP3 Outstation Libraries to enable communication between master SCADA stations and remote terminal units (RTUs), programmable logic controllers (PLCs), or intelligent electronic devices (IEDs) in substations and distribution networks.

How it could be exploited

An attacker with network access to a device running the affected DNP3 Outstation Libraries could send a specially crafted DNP3 message that triggers a buffer overflow (CWE-121), causing the library to crash and stop processing commands. This could halt SCADA communications and field device control.

Prerequisites

Network access to port 20000 (default DNP3 port) or the port where DNP3 Outstation is listening
No authentication required to send malicious DNP3 messages

remotely exploitableno authentication requiredlow complexitycauses denial of service to critical SCADA communicationsaffects control system availability

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

DNP3 Outstation Libraries: 3.16.00 through 3.25.01≥ 3.16.00 | ≤ 3.25.013.26

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDImplement firewall rules to restrict inbound access to DNP3 port (default 20000) from only trusted master stations and engineering networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DNP3 Outstation Libraries to version 3.26 or later

Long-term hardening

0/2

HARDENINGSegment your control network from the business network using a DMZ or air gap, ensuring DNP3 devices are not directly internet-accessible

HARDENINGIf remote access to DNP3 devices is required, use a VPN with current security patches and restrict access to authorized personnel only

CVEs (1)

CVE-2020-6996

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2d6adec1-cdf1-4fa5-838b-1d2f1c4d72cf