search menu icon-carat-right cmu-wordmark

CERT Coordination Center


LiveData ICCP Server heap buffer overflow vulnerability

Vulnerability Note VU#190617

Original Release Date: 2006-05-16 | Last Revised: 2008-09-22

Overview

LiveData ICCP Server contains a heap-based buffer overflow. This vulnerability may allow a remote attacker to crash the server.

Description

Inter-Control Center Communications Protocol (ICCP)

According to the LiveData ICCP Server white paper:

The Inter-Control Center Communications Protocol (ICCP) is being specified by utility organizations throughout the world to provide data exchange over wide area networks (WANs) between utility control centers, utilities, power pools, regional control centers, and Non-Utility Generators. ICCP is also an international standard: International Electrotechnical Commission (IEC) Telecontrol Application Service Element 2 (TASE.2).

ISO Transport Service over TCP (TPKT, RFC 1006)

RFC 1006 specifies how to run the OSI transport protocol on top of TCP/IP. In the layered protocol model, RFC 1006 is situated between the TCP and OSI transport layers.

LiveData ICCP Server and LiveData Server

LiveData ICCP Server records and transmits data to other control points in process control networks. According to the LiveData ICCP Server white paper:

The LiveData ICCP Server is based on LiveData's standard off-the-shelf software product, LiveData Server, which features a rich set of integration methods that can be easily applied to new and existing SCADA/EMS/DCS systems.
The Problem

The LiveData implementation of RFC 1006 is vulnerable to a heap-based buffer overflow. By sending a specially crafted packet to a vulnerable LiveData RFC 1006 implementation, a remote attacker may be able to trigger the overflow.

Impact

This vulnerability may allow a remote, unauthenticated attacker to crash a LiveData ICCP Server.

Solution

Upgrade
This issue is corrected in LiveData ICCP Server version 5.00.035.

Vendor Information

190617
Expand all

Invensys Process Systems

Notified:  May 08, 2006 Updated:  June 26, 2006

Status

  Vulnerable

Vendor Statement

LiveData ICCP Problem Report and Fix:  CERT VU#190617

June 18, 2006

Invensys is committed to ensuring that our customers and employees are kept current on issues that might affect or improve system operation. We are dedicated to focusing on product, application and service availability and reliability.

This customer notification is provided to you for informational purposes only. Invensys has directly contacted the customers that may be affected by the situation described.

Background

The situation described below involves a third party product used in a limited number of I/A Series DCS and I/A Series SCADA, and Wonderware/InFusion customer installations. It also involves a United States government agency named in the following paragraphs.

LiveData is a vendor located in Cambridge, MA, who makes a product called "Live RTI Server". This product in our usage supports a protocol called "ICCP", or Inter Control Center Protocol. We supply an RTI interface from the various platforms we support to the LiveData Live RTI Server. This interface is used to send and receive realtime data from the host system (I/A Series, FoxSCADA, or Wonderware/InFusion) to/from the remote system(s).

The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation's Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation.

Situation

US-CERT has published Vulnerability Note VU#190617 on its website, relating to a potential problem that may be encountered with the LiveData ICCP Server software.  LiveData has addressed the issue in an updated release of LiveData ICCP Server (version 5.00.035).

A specifically crafted network packet targeting LiveData Server's RFC 1006 network interface may lead to a heap-buffer overflow condition and eventual crash of LiveData Server.  A remote attacker with network access to a LiveData Server implementation could exploit this vulnerability to crash LiveData Server.

No customer, to LiveData's knowledge, has experienced such an attack, but LiveData takes such possibilities very seriously. LiveData has identified Invensys as an impacted Vendor.

In turn, Invensys has identified our customers that may be impacted, of which all have been notified and instructed on acquiring and implementing the latest version of LiveData ICCP Server (version 500.035).

You may view the CERT report in detail at:

http://www.kb.cert.org/vuls/id/190617

For Information

If you have any questions regarding this notification, please contact your local Service Representative or the Invensys Customer Satisfaction Center (CSC) at


<mailto:ips.csc@invensys.com>

or telephone:

            USA: 1-866-746-6477 or 1-508-549-2424 (International + 1 508-549-2424).

            Europe, the Middle East and Africa: +31 35 54 84125.

            Asia-Pacific: +65 6829 8899.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

LiveData Inc.

Notified:  February 23, 2006 Updated:  September 22, 2008

Status

  Vulnerable

Vendor Statement

It is LiveData's opinion that these issues are software bugs exercised by protocol-illegal data packets, not security vulnerabilities, given that MMS/ICCP over OSI or RFC1006 are not secure protocols intended for use on public networks. It is the user's responsibility to secure MMS/ICCP network traffic at the network level. LiveData Server over RFC1006 is not marketed as a public network service, and those seeking a public network solution should look to Secure ICCP (ICCP over SSL).

Treated as a bug, LiveData always responds to bug reports with software fixes as soon as we possibly can when the bug affects a customer. We do not normally push this information to other customers unless it is likely that they will be adversely affected by the bug. It is LiveData's opinion the no user is likely to be adversely affected by this bug.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to ftp://ftp.livedata.com/ for the latest versions of LiveData Server and LiveData ICCP Server.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Telvent

Notified:  May 08, 2006 Updated:  August 22, 2006

Status

  Vulnerable

Vendor Statement

Telvent is committed to ensuring the security of all of our customers and to addressing any potential vulnerabilities associated with our products, or third-party products we have integrated or deployed alongside our products. All customers affected by the LiveData VU#190617 vulnerability have been contacted directly.

Situation:

Telvent has deployed a very limited number of systems utilizing the LiveData Live RTI Server product, only one of which was found to operate the vulnerable version of the application. This system had not yet entered operation and an upgrade to a non-vulnerable version of the LiveData software was performed at the factory. Testing was performed to ensure that no adverse affects resulted from this upgrade.

Any future deployments of the LiveData Live RTI Server software will be performed using software versions which are not subject to this vulnerability. No Telvent product lines are directly affected by this vulnerability and only those customers who have also requested the deployment of the LiveData Live RTI Server faced possible impact. No Telvent product lines or deployed systems remain affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Advanced Control Systems, Inc

Notified:  May 08, 2006 Updated:  May 24, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Advanced Control systems customers should contact our HelpDesk for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Barco

Notified:  May 08, 2006 Updated:  May 25, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Barco is not using the specified protocal int this note. Barco is supplying only visualisation tools , meaning large monitors with graphical cards and is as such not connected to critical control components.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Eliop

Notified:  May 08, 2006 Updated:  May 08, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GEA-India

Notified:  May 08, 2006 Updated:  May 08, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Notified:  June 21, 2006 Updated:  June 21, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

LogicaCMG

Notified:  May 08, 2006 Updated:  May 08, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Radio Control Central Stations, Inc.

Notified:  May 08, 2006 Updated:  May 24, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We at RCCS are not using the ICCP interface.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

S&C Electric Company

Notified:  May 08, 2006 Updated:  May 08, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SPL Worldgroup, Inc.

Notified:  May 08, 2006 Updated:  May 08, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Telvent

Notified:  August 22, 2006 Updated:  August 22, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Matt Franz of Digital Bond Inc. for reporting this vulnerability. Information used in this document came from LiveData.

This document was written by Jeff Gennari.

Other Information

CVE IDs: CVE-2006-0059
Severity Metric: 7.93
Date Public: 2006-05-16
Date First Published: 2006-05-16
Date Last Updated: 2008-09-22 22:14 UTC
Document Revision: 126

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.