Security Bulletin Covering CVE-2013-2802; CSA-13-231-01B

Abstract: Response for Vulnerabilities found in IPm RTUs

This document will help explain the necessary steps to resolve security issues found as a result of loading new firmware.

CVSS v2.0 Base Vulnerability Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Products: ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/ VT-IPm2m-213-D/VT-IPm2m-113-D

Versions Affected:

• Firmware 4.9.152
• Tool Kit 3.60.118

Revision Information: 12 November 2019

Vulnerability: Sixnet Universal Protocol Undocumented Function Codes

The universal protocol implementation in Sixnet UDR before 2.0 and RTU firmware before 4.8 allows remote attackers to execute arbitrary code; read, modify, or create files; or obtain file metadata via function opcodes.

1. When configuring the RTU and enabling telnet and FTP will result in root access via the Ethernet Port.

a. Root access must be disabled when FTP and telnet are enabled by creating user access.

i. Telnet into the RTU and disable the root account with the ‘passwd -l’ command.

b. Enable User Authentication.

i. Using the Toolkit program, go to Configuration>>Configuration Station/Module>>Configure Users.

ii. Check the “Enable user authentication” check box.

iii. Remove all permissions from the ‘anonymous’ user.

iv. Click the “Add User…”, add user name and password, then set permissions for the user.

v. After the configuration is loaded to the RTU user authentication is enabled in the RTU.

c. ICS-CERT also encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.

i. Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.

ii. Locate control system networks and remote devices behind firewalls, and isolate them from the business network.

iii. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.