A bit of confusion yesterday as two LiveData vulnerabilities were independently published on the same day. What are the odds on this?

The first was a US-CERT Vulnerability Note on a vulnerability in the COTP implementation discovered by Matt Franz while he was at Digital Bond. A malformed COTP packet causes the LiveData ICCP server to crash. We did not try to develop an exploit that would take remote control because crashing a server is reason enough to patch. This attack would require knowledge of the ICCP protocol stack and some programming. Also note the US-CERT documentation does not provide any information on the malformed packet.

The second vulnerability was released by iDefense Labs, a division of Verisign. It involves a vulnerability in the SOAP interface of the LiveData web server. In many ways this is a more serious vulnerability because the number of attackers with the skill set to develop this exploit is much greater. There are more web server/SOAP experts than ICCP experts out in the potential attacker universe.

Both of these vulnerabilities are fixed in Version 500062, so start your patching process.

Now the LiveData Server code is in products from:

• Advanced Control Systems, Inc
• Barco
• Eliop
• GEA-India
• Hitachi
• Invensys Process Systems
• LogicaCMG
• Radio Control Central Stations, Inc.
• SPL Worldgroup, Inc.
• S&C Electric Company
• Telvent

and perhaps more we don’t know about, and of course LiveData.

So my questions for users of these systems - - have you been contacted by your vendor saying you need to patch your ICCP server? Perhaps a more basic question, excepting LiveData, does your vendor even support the patch? Really, this is not a rhetorical question. Send me an email, peterson@digitalbond.com.

We have now had multiple Sisco and LiveData vulnerabilities and patches. These two vendors are in the vast majority of ICCP server solutions. What percentage of the industry has an ICCP server with a known vulnerability that allows any compromised ICCP participant to crash all of their partners’ connections?

Update:  SCADApedia entries for the COTP Vulnerability and HTTP/SOAP Vulnerability. The complete list of all published control system vulnerabilities has been updated as well.