LiveData ICCP Server heap buffer overflow vulnerability
From SCADApedia
Versions prior to 5.00.035 of LiveData's ICCP Server, which is used in a number of ICCP servers from LiveData and other vendors, will crash and require a reboot if scanned by Amap.
Contents |
Vulnerability
Amap is a popular free scanning tool from The Hacker's Choice (THC) that identifies applications and services by sending packets and evaluating the response. It is widely used by both hackers and IT Security professionals.
An Amap scan causes LiveData ICCP server versions prior to 5.00.035 to crash due to a heap buffer overflow in the TPKT (RFC 1006) implementation.
No effort was made to use the heap buffer overflow to gain remote control of the vulnerable ICCP server since this simple denial of service attack was serious enough to warrant patching.
The functionality in Amap that caused the crash may also available be found in other vulnerability scanning tools.
This vulnerability was discovered and reported to US-CERT by Matt Franz of Digital Bond.
Affected Systems
All systems and applications running LiveData's ICCP Server earlier than version 5.00.035.
The LiveData ICCP server is the second most widely deployed ICCP server. It is deployed under the LiveData brand and private labeled by control system application vendors including:
- Advanced Control Systems, Inc
- Barco
- Eliop
- GEA-India
- Hitachi
- Invensys Process Systems
- LogicaCMG
- Radio Control Central Stations, Inc.
- SPL Worldgroup, Inc.
- S&C Electric Company
- Telvent
There may be additional vendors not on this list that use the LiveData. All asset owners with ICCP servers should either contact their vendor or use one of the detection methods to determine if they are vulnerable.
Impact
ICCP servers are used to pass information between SCADA/EMS systems, often between asset owners. A US bulk electric entity is likely to have ICCP Security Associations with multiple other bulk electric entities. Firewalls and other perimeter security devices must be configured to allow TCP/102, the ICCP port, for authorized ICCP communication.
If an attacker were able to gain access to one electric entity, he would be able to crash and possibly remotely control all ICCP servers the organization communicates with that have an unpatched LiveData ICCP server application.
Versions of the LiveData ICCP server prior to 5.00.035 also exhibited memory leaks and began to consume excessive CPU and memory resources under certain testing circumstances.
Detection
Digital Bond has written Nessus Plugin 23813 that will identify the presence of a LiveData ICCP server. All asset owners who are unsure of the brand of underlying ICCP server in use, most likely either SISCO or LiveData, can use this plugin to determine if there system relies on the LiveData ICCP server.
Check with the ICCP vendor to determine if patching is required.
Remediation
Contact your ICCP server vendor and deploy a patch if available. A patch is available for all LiveData branded ICCP servers. Third party vendors that integrate the LiveData ICCP server may or may not support the patch.
Compensating Controls
- Use a firewall or other filtering to limit access to ICCP servers
- Prohibit Amap and other vulnerability scanning of known vulnerable ICCP servers by policy
