A serious denial-of-service (DoS) vulnerability has been found in Schneider Electric’s Triconex TriStation Emulator software. The vendor has yet to release a patch, but assured customers that the flaw does not pose a risk to operating safety controllers.
The vulnerability, discovered by a researcher from industrial cybersecurity firm Applied Risk, can be exploited to cause a DoS condition on an emulated controller by sending it specially crafted Triconex System Access Application (TSAA) packets over the network on UDP port 1500.
“Communication settings within Triconex TriStation Emulator allow configuration of different Node Numbers. The specifically crafted TSAA packet is required to match the victim’s Node Number for successful exploitation,” Applied Risk said in its advisory. “The vulnerability is likely to be caused through unhandled exceptions in the Triconex TriStation Emulator’s TSAA network stack.”
Applied Risk told SecurityWeek that the impacted software is typically not accessible from the internet.
The security hole affects Triconex TriStation Emulator version 1.2.0, which is installed with Triconex TriStation 1131 version 4.9.0, and possibly earlier versions. Version 1.2.0 was released in 2011.
The vulnerability, tracked as CVE-2018-7803 with a CVSS score of 7.5, was first reported to Schneider in late July 2018. The company initially said it may not release a patch due to its low impact, but later decided to address the issue. A patch was initially expected to be made available in January, but it has now been pushed to July.
Until patches are released, Schneider has advised customers to implement general security recommendations that should prevent potential exploitation.
The notorious Triton malware (aka Trisis and HatMan), which threat actors used in 2017 in an attack aimed at a petrochemical plant in Saudi Arabia, targeted Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers via a zero-day vulnerability affecting older versions of the product. Since these SIS controllers are designed to prevent accidents by shutting down systems if dangerous parameters are detected, malicious actors can cause physical damage if they can tamper with the device and configure it to allow dangerous parameters.
However, the Triconex TriStation Emulator allows users to emulate and execute TriStation 1131 applications without actually connecting to a Tricon, Trident or Tri-GP controller.
“The emulator is used infrequently for application logic testing. It is susceptible to an attack only while running in off-line mode. This vulnerability does not exist in Triconex hardware products and therefore has no effect on the operating safety functions in a plant,” Schneider explained in its advisory.