Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Schneider Electric Working on Patch for Flaw in Triconex TriStation Emulator

A serious denial-of-service (DoS) vulnerability has been found in Schneider Electric’s Triconex TriStation Emulator software. The vendor has yet to release a patch, but assured customers that the flaw does not pose a risk to operating safety controllers.

A serious denial-of-service (DoS) vulnerability has been found in Schneider Electric’s Triconex TriStation Emulator software. The vendor has yet to release a patch, but assured customers that the flaw does not pose a risk to operating safety controllers.

The vulnerability, discovered by a researcher from industrial cybersecurity firm Applied Risk, can be exploited to cause a DoS condition on an emulated controller by sending it specially crafted Triconex System Access Application (TSAA) packets over the network on UDP port 1500.

“Communication settings within Triconex TriStation Emulator allow configuration of different Node Numbers. The specifically crafted TSAA packet is required to match the victim’s Node Number for successful exploitation,” Applied Risk said in its advisory. “The vulnerability is likely to be caused through unhandled exceptions in the Triconex TriStation Emulator’s TSAA network stack.”

Applied Risk told SecurityWeek that the impacted software is typically not accessible from the internet.

Learn More About ICS Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference

The security hole affects Triconex TriStation Emulator version 1.2.0, which is installed with Triconex TriStation 1131 version 4.9.0, and possibly earlier versions. Version 1.2.0 was released in 2011.

The vulnerability, tracked as CVE-2018-7803 with a CVSS score of 7.5, was first reported to Schneider in late July 2018. The company initially said it may not release a patch due to its low impact, but later decided to address the issue. A patch was initially expected to be made available in January, but it has now been pushed to July.

Advertisement. Scroll to continue reading.

Until patches are released, Schneider has advised customers to implement general security recommendations that should prevent potential exploitation.

The notorious Triton malware (aka Trisis and HatMan), which threat actors used in 2017 in an attack aimed at a petrochemical plant in Saudi Arabia, targeted Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers via a zero-day vulnerability affecting older versions of the product. Since these SIS controllers are designed to prevent accidents by shutting down systems if dangerous parameters are detected, malicious actors can cause physical damage if they can tamper with the device and configure it to allow dangerous parameters.

However, the Triconex TriStation Emulator allows users to emulate and execute TriStation 1131 applications without actually connecting to a Tricon, Trident or Tri-GP controller.

“The emulator is used infrequently for application logic testing. It is susceptible to an attack only while running in off-line mode. This vulnerability does not exist in Triconex hardware products and therefore has no effect on the operating safety functions in a plant,” Schneider explained in its advisory.

Related: Malware Found on USB Drives Shipped With Schneider Solar Products

Related: Schneider Electric Vehicle Charging Stations Exposed to Hacker Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.