LiveData ICCP Server COTP Vulnerability
From SCADApedia
Versions prior to 500062 of LiveData's ICCP Server, which is used in a number of ICCP servers from LiveData and other vendors, can be crashed by a specially crafted COTP packet.
Contents |
Vulnerability
ICCP servers consist of a protocol stack, shown below, with numerous rarely used protocols including the Connection Oriented Transport Protocol (COTP). LiveData's ICCP server versions prior to 500062 can be crashed by sending a malformed COTP packet to the server. The details of the malformed COTP packet have not been made public.
This attack requires a valid TPKT connection, which is an obscure and rarely attacked protocol.
No attempt was made to create a remote control exploit.
This vulnerability was discovered and reported to US-CERT by Matt Franz of Digital Bond.
Affected Systems
All systems and applications running LiveData's ICCP Server earlier than version 500062.
The LiveData ICCP server is the second most widely deployed ICCP server. It is deployed under the LiveData brand and private labeled by control system application vendors including:
- Advanced Control Systems, Inc
- Barco
- Eliop
- GEA-India
- Hitachi
- Invensys Process Systems
- LogicaCMG
- Radio Control Central Stations, Inc.
- SPL Worldgroup, Inc.
- S&C Electric Company
- Telvent
There may be additional vendors not on this list that use the LiveData. All asset owners with ICCP servers should either contact their vendor or use one of the detection methods to determine if they are vulnerable.
Impact
ICCP servers are used to pass information between SCADA/EMS systems, often between asset owners. A US bulk electric entity is likely to have ICCP Security Associations with multiple other bulk electric entities. Firewalls and other perimeter security devices must be configured to allow TCP/102, the ICCP port, for authorized ICCP communication.
If an attacker were able to gain access to one electric entity, he would be able to crash and possibly remotely control all ICCP servers the organization communicates with that have an unpatched LiveData ICCP server application.
Detection
Tenable Security has written Nessus Plugin 25147 that will identify a LiveData ICCP server with a version prior to 500062.
All asset owners who are unsure of the brand of underlying ICCP server in use, most likely either SISCO or LiveData, can use Plugin 23813 to determine if their system relies on the LiveData ICCP server.
Check with the ICCP vendor to determine if patching is required.
Remediation
Contact your ICCP server vendor and deploy a patch if available. A patch is available for all LiveData branded ICCP servers. Third party vendors that integrate the LiveData ICCP server may or may not support the patch.
Compensating Controls
- Use a firewall or other filtering to limit access to ICCP servers
