Schneider Electric Telvent Remote Terminal Unit (RTU) Improper Ethernet Frame Padding Vulnerability (ISCA-16-070-01)

ITS Advisory Number: 
2016-055
Date(s) Issued: 
Thursday, April 7, 2016
Subject: 
Schneider Electric Telvent Remote Terminal Unit (RTU) Improper Ethernet Frame Padding Vulnerability (ISCA-16-070-01)
Overview: 

A vulnerability caused by an Institute of Electrical and Electronics Engineers (IEEE) conformance issue involving improper frame padding in Schneider Electric's Telvent SAGE 2300 and 2400 remote terminal units (RTUs). This attack is passive; the attacker can only see data that the affected device sent out as part of a packet.

Systems Affected: 
  • Wi Sage 3030M, with firmware prior to C3414-500-S02J2

  • Sage 1410, with firmware prior to C3414-500-S02J2

  • Sage1430, with firmware prior to C3414-500-S02J2

  • Sage 1450, with firmware prior to C3414-500-S02J2

  • LANDAC II-2, with firmware prior to C3414-500-S02J2

  • Sage 2300, with firmware prior to C3413-500-S01

  • Sage 2400, with firmware prior to C3414-500-S02J2 (released March 2015)

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

A vulnerability caused by an Institute of Electrical and Electronics Engineers (IEEE) conformance issue involving improper frame padding in Schneider Electric's Telvent SAGE 2300 and 2400 remote terminal units (RTUs). This attack is passive; the attacker can only see data that the affected device sent out as part of a packet. Details of this vulnerability is as follows:

The data padding within the data field of the Ethernet pack should be all zeros. The previous implementation of firmware allowed other data from a known area of memory to be used in this field and could exfiltrate or leak data. Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation. The contents of the updates window were retrieved from the network using an unprotected HTTP connection. [CVE-2016-1731]

Actions: 
  • After appropriate testing apply applicable updates provided by Apple to vulnerable systems.

  • Minimize network exposure for all control system devices and/or systems ensuring they are not accessible via the internet.

  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.

  • Upgrade to Telvent Sage 2400 platform