Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Schneider Electric Working on Patch for Flaw in Triconex TriStation Emulator

A serious denial-of-service (DoS) vulnerability has been found in Schneider Electric’s Triconex TriStation Emulator software. The vendor has yet to release a patch, but assured customers that the flaw does not pose a risk to operating safety controllers.

A serious denial-of-service (DoS) vulnerability has been found in Schneider Electric’s Triconex TriStation Emulator software. The vendor has yet to release a patch, but assured customers that the flaw does not pose a risk to operating safety controllers.

The vulnerability, discovered by a researcher from industrial cybersecurity firm Applied Risk, can be exploited to cause a DoS condition on an emulated controller by sending it specially crafted Triconex System Access Application (TSAA) packets over the network on UDP port 1500.

“Communication settings within Triconex TriStation Emulator allow configuration of different Node Numbers. The specifically crafted TSAA packet is required to match the victim’s Node Number for successful exploitation,” Applied Risk said in its advisory. “The vulnerability is likely to be caused through unhandled exceptions in the Triconex TriStation Emulator’s TSAA network stack.”

Applied Risk told SecurityWeek that the impacted software is typically not accessible from the internet.

Learn More About ICS Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference

The security hole affects Triconex TriStation Emulator version 1.2.0, which is installed with Triconex TriStation 1131 version 4.9.0, and possibly earlier versions. Version 1.2.0 was released in 2011.

The vulnerability, tracked as CVE-2018-7803 with a CVSS score of 7.5, was first reported to Schneider in late July 2018. The company initially said it may not release a patch due to its low impact, but later decided to address the issue. A patch was initially expected to be made available in January, but it has now been pushed to July.

Until patches are released, Schneider has advised customers to implement general security recommendations that should prevent potential exploitation.

Advertisement. Scroll to continue reading.

The notorious Triton malware (aka Trisis and HatMan), which threat actors used in 2017 in an attack aimed at a petrochemical plant in Saudi Arabia, targeted Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers via a zero-day vulnerability affecting older versions of the product. Since these SIS controllers are designed to prevent accidents by shutting down systems if dangerous parameters are detected, malicious actors can cause physical damage if they can tamper with the device and configure it to allow dangerous parameters.

However, the Triconex TriStation Emulator allows users to emulate and execute TriStation 1131 applications without actually connecting to a Tricon, Trident or Tri-GP controller.

“The emulator is used infrequently for application logic testing. It is susceptible to an attack only while running in off-line mode. This vulnerability does not exist in Triconex hardware products and therefore has no effect on the operating safety functions in a plant,” Schneider explained in its advisory.

Related: Malware Found on USB Drives Shipped With Schneider Solar Products

Related: Schneider Electric Vehicle Charging Stations Exposed to Hacker Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.