Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

             IOServer Master Station Improper Input Validation
                               7 August 2013


        AusCERT Security Bulletin Summary

Product:           IOServer Master Station
Publisher:         US-CERT
Operating System:  Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-2790  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSA-13-213-03)

IOServer Master Station Improper Input Validation

Original release date: August 01, 2013 | Last revised: August 05, 2013


Adam Crain of Automatak and independent researcher Chris Sistrunk have 
identified an improper input validation vulnerability in the IOServer DNP3 
Driver on the master station. IOServer has produced a new version that 
mitigates this vulnerability. The researchers have tested the new version to 
validate that it resolves the vulnerability.

This vulnerability could be exploited remotely.


The following IOServer product versions are affected:

    IOServer's Beta2041.exe, and
    IOServer's versions older than driver19.exe.


The master station device can be put into an infinite loop by sending a 
specially crafted TCP packet, known as "TCP Connection Hijacking." The device 
must be manually restarted to recover from the loop condition.

Impact to individual organizations depends on many factors that are unique to
each organization. ICS-CERT recommends that organizations evaluate the impact
of this vulnerability based on their operational environment, architecture, and
product implementation.


IOServer is a New Zealand-based company that maintains users in several 
countries around the world, including the UK, Canada, New Zealand, Australia, 
Austria, France, Germany, Netherlands, Italy, India, Czech Republic, China, 
Singapore, South Korea, South Africa, and Brazil.

IOServer is a Windows-based (WindowsNT/95/98/ME/2000/2003/XP/2008/7) OPC Server
that allows OPC clients such as human-machine interface and supervisory control
and data acquisition systems to exchange plant floor data with programmable 
logic circuits. According to IOServer, the affected products are deployed 
across multiple sectors including manufacturing, building automation, oil and
gas, water and wastewater, electric utilities, and others.




The IOServer driver does not validate or incorrectly validates input on the 
master server on Port 20000/TCP that can affect the control flow or data flow
of a program. When this software does not validate input properly, an attacker
is able to craft the input in a form that is not expected by the rest of the 
application. This will lead to parts of the system receiving unintended input,
which may result in altered control flow or arbitrary control of a resource.

As a result, the IOServer enters an infinite loop condition without an exit.
The system must then be restarted manually.

CVE-2013-2790[b] has been assigned to this vulnerability. A CVSS v2 base score 
of 7.1 has been assigned; the CVSS vector string is 



This vulnerability could be exploited remotely.


No known public exploits specifically target this vulnerability.


An attacker with a moderate skill would be able to exploit this vulnerability.


IOServer released Beta driver beta2042.exe resolves this vulnerability. This 
version has already been superseded by beta2043.exe. Information about this 
version of this product is available on the IOServer Web site:


The researchers suggest the following mitigation:

    Block DNP3 traffic from traversing onto business or corporate networks 
    through the use of an IPS or firewall with DPN3-specific rule sets.

ICS-CERT encourages asset owners to take additional defensive measures to 
protect against this and other cybersecurity risks.

    Minimize network exposure for all control system devices. Critical devices
    should not directly face the Internet.
    Locate control system networks and remote devices behind firewalls, and 
    isolate them from the business network.
    When remote access is required, use secure methods, such as Virtual Private 
    Networks (VPNs), recognizing that VPN is only as secure as the connected 

ICS-CERT also provides a section for control systems security recommended 
practices on the ICS-CERT Web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems 
Cybersecurity with Defense-in-Depth Strategies.[d] ICS-CERT reminds 
organizations to perform proper impact analysis and risk assessment prior to 
taking defensive measures.

Additional mitigation guidance and recommended practices are publicly available
in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B-Targeted Cyber
Intrusion Detection and Mitigation Strategies,[e] that is available for 
download from the ICS-CERT Web page (http://ics-cert.us-cert.gov/).

Organizations observing any suspected malicious activity should follow their 
established internal procedures and report their findings to ICS-CERT for 
tracking and correlation against other incidents.

    a. CWE-20: Improper Input Validation  
       http://cwe.mitre.org/data/definitions/20.html, Web site last accessed 
       August 01, 2013.
    b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2790 , 
       NIST uses this advisory to create the CVE Web site report. This Web site
       will be active sometime after publication of this advisory.
    c. CVSS Calculator, 
       Web site last accessed August 01, 2013.
    d. CSSP Recommended Practices, 
       http://ics-cert.us-cert.gov/content/recommended-practices, Web site last
       accessed August 01, 2013.
    e. Targeted Cyber Intrusion Detection and Mitigation Strategies, 
       http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B, Web site last 
       accessed August 01, 2013.

Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: 

ICS-CERT continuously strives to improve its products and services. You can 
help by answering a short series of questions about this product at the 
following URL: https://forms.us-cert.gov/ncsd-feedback/.


For Legal Information pertaining to this document, please consult 

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967