LiveData ICCP Server HTTP/SOAP Heap Overflow Vulnerability
From SCADApedia
Versions prior to 500062 of LiveData's ICCP Server, which is used in a number of ICCP servers from LiveData and other vendors, by sending a specially crafted request to the web server provided as part of the LiveData ICCP system.
Contents |
Vulnerability
LiveData's ICCP server contains a web server with a SOAP interface on TCP port 8080. As explained in the iDefense bulletin, "By supplying a specially crafted request to the service on port 8080, an attacker is able to supply a negative length value to a strncpy call. This value is interpreted by strncpy as a very large positive value. As a result, a memory access violation occurs when attempting to write data past the end of the heap memory segment."
This heap overflow vulnerability may allow an attacker to execute code on the server and potentially gain remote control. No attempt was made to create a remote control exploit.
This vulnerability, and information in this section, was published by iDefense. The researcher who discovered the vulnerability wishes to remain anonymous.
Affected Systems
All systems and applications running LiveData's ICCP Server earlier than version 500062.
The LiveData ICCP server is the second most widely deployed ICCP server. It is deployed under the LiveData brand and private labeled by control system application vendors including:
- Advanced Control Systems, Inc
- Barco
- Eliop
- GEA-India
- Hitachi
- Invensys Process Systems
- LogicaCMG
- Radio Control Central Stations, Inc.
- SPL Worldgroup, Inc.
- S&C Electric Company
- Telvent
There may be additional vendors not on this list that use the LiveData. All asset owners with ICCP servers should either contact their vendor or use one of the detection methods to determine if they are vulnerable.
Impact
ICCP servers are used to pass information between SCADA/EMS systems, often between asset owners. A US bulk electric entity is likely to have ICCP Security Associations with multiple other bulk electric entities. Firewalls and other perimeter security devices must be configured to allow TCP/102, the ICCP port, for authorized ICCP communication.
If an attacker were able to gain access to one electric entity, he would be able to crash and possibly remotely control all ICCP servers the organization communicates with that have an unpatched LiveData ICCP server application.
Detection
Tenable Security has written Nessus Plugin 25147 that will identify a LiveData ICCP server with a version prior to 500062.
All asset owners who are unsure of the brand of underlying ICCP server in use, most likely either SISCO or LiveData, can use Plugin 23813 to determine if their system relies on the LiveData ICCP server.
Check with the ICCP vendor to determine if patching is required.
Remediation
Contact your ICCP server vendor and deploy a patch if available. A patch is available for all LiveData branded ICCP servers. Third party vendors that integrate the LiveData ICCP server may or may not support the patch.
Compensating Controls
- Use a firewall or other filtering to limit access to ICCP servers
