CitectSCADA Safety and Security Knowledge Base

The Modnet Driver May Allow Random Writes To Individual Bits In A Word Using "Read Modify Write" Process

Geoff Leach — Wed, 24 Feb 2010 00:50:00 GMT

Abstract:

We would like to draw your attention to an issue which has been reported to SCADA Global Support regarding the Modnet communication driver.
The issue was reported on Modnet Driver version 2.6.19.0 (release), but is likely to exist on all versions of the driver and is fixed in Modnet Driver version 2.06.025.001 (release).

The issue is independent of the version of SCADA.
The issue has so far only been noted when communicating with Unity Quantum PLCs.

Symptoms:

The Modnet driver allows users to write to individual bits in a word using a process known as "read modify write".
Under certain circumstances other bits in the word being written to can be affected in a random manner.

Circumstances:

The issue only occurs when using the write to bit in a word as described above; other write operations are not affected.

For example, writing to addresses such as 400007.3 or %MW500.5

The issue can only occur when the following parameters are used in the CITECT.INI file:

[Modnet] MaxPending greater than 1
and
[Modnet] MaxOutstanding greater than 1

Please note: the default installed values of these parameters in the current version of the driver are:

[Modnet] MaxPending = 2
[Modnet] MaxOutstanding = 1

Older versions have higher values for both parameters.
Only devices capable of processing requests out of order can demonstrate this issue.
The issue only occurs under increased load conditions when multiple requests are likely to be processed out of order.

Workaround:

This issue can be avoided by setting the following parameter to be used in the CITECT.INI file:

[Modnet] MaxOutstanding = 1

Note that this workaround can result in a degradation of the communications performance to the Modnet device(s) if you have higher values for this parameter.

Solution:

This problem is rectified in the Modnet Release version 2.06.25.001.
Download from DriverWeb and Install.

If you want to receive updates on Modnet driver notifications and discussions you may subscribe to the Modnet forum of DriverWeb or check our website for updated information.

For assistance:

• Vijeo Citect customers, contact your local Schneider office.

• CitectSCADA and CitectFacilities customers, contact the SCADA Global Support Centre on the appropriate number for your country listed below.

SCADA Global Support Centre contact details:

OCEANIA
Australia: 1300 131 631
New Zealand: 0800 880 026

AFRICA
South Africa: 0800 998 887

LATIN AMERICA
Brazil: 800 891 2162
Mexico: 001 866 522 0285

MIDDLE EAST
Israel: 1 809 216 065

NORTH AMERICA
USA/Canada: 866 589 6855

GREATER CHINA
China: 10 800 712 1587

NORTH ASIA
Japan: 00531 121 985
South Korea: 00798 14 800 7112

SOUTH EAST ASIA
Singapore: 0800 120 4562

EUROPE
Belgium 0800 40 710
Czech Republic 0800 134 466
Denmark 808 87 453
Finland 0800 913 065
France 04 72 15 84 50
Germany: +49 8931901445
Hungary: 06 800 18490
Italy: 800 986 902
Norway: 800 11979
Spain: 800 098 944
Sweden: 0200 882 612
Switzerland: 0800 001 241
Netherlands: 0800 020 0498
UK: 0800 376 2869

ALL OTHER COUNTRIES
Reverse call charges: +61 2 9496 7400

EMAIL
support@citect.com

IDC & FTP security recommendations

Administrator — Wed, 22 Oct 2008 20:38:00 GMT

Abstract:

Products: CitectSCADA / Vijeo Citect / CitectFacilities

Versions: All

Related area: IDC (Internet Display Clients) using FTP only

Background Information:

CitectSCADA currently ships with an FTP server, which is installed, but not activated, by default and is used in order to configure and correctly utilise Internet Display Client (IDC) functionality.

(note: If you are not using the CitectSCADA IDC functionality, do not have your server set-up as a Citect Internet Server - see below - and hence the FTP server is not running, this information will not pertain to your installation and you will need take no further action)

FTP (File Transfer Protocol) provides the capability of transferring files between a client and a server. In the case of CitectSCADA it is used to download project files to the IDC. You may also use remote command capabilities to submit commands to the server. Consequently, FTP is very useful for working with remote systems, or to move files between systems. However, the use of FTP across the Internet, or other untrusted networks can expose you to certain security risks.

You must understand these risks to ensure that your security policy describes how you will minimize these risks.

Whilst the CitectSCADA FTP server is designed to operate in a 'read-only' mode (that is, files can only be downloaded, not uploaded), FTP communications are, by default, not encrypted. In an unsecure network situation this could expose data or the traffic to sniffing and injection attacks. The FTP server may be open to a Denial of Service or memory leak attack should an attacker supply invalid format specifiers during login. This would cause the FTP server to fail and render the IDC's unable to operate until the FTP server was brought back up.

How do I know if I'm running the CitectSCADA FTP server?

If you are using the CitectSCADA IDC functionality you will have to have enabled your server as an 'Internet Server', which will activate the FTP server. If you are unsure as to whether a server is an Internet Server, please use the Computer Setup Wizard to check the Internet Server setting or see your citect.ini file (paramater will be: [Internet] Server=1).

Recommendations

Citect's recommendations for customers who may be concerned about using FTP are as follows:

- switch from using the IDC to the CitectSCADA Web Client. There are no licensing restrictions in doing this, and minimal functional changes result. Some set-up is required, including activating a web server (IIS or Apache) and installing a supporting application. Using the Web Client negates the need for using FTP. Upgrades from IDC to Web Client are free. Note that the Web Client is only available for version 6.0 of CitectSCADA and above. If you are running an earlier version of CitectSCADA, we recommend that you upgrade to the latest version.

- switch from using the IDC to a traditional CitectSCADA desktop client. There will be a small license key configuration change needed to do this, but again this negates the need to use FTP. Furthermore, you will need to consider how project files will be deployed to remote clients.

- in circumstances where swapping from the IDC is not an option, we recommend securing your FTP traffic through the use of appropriate firewall rules, SSH and optionally VPN. Ensure that the network on which the FTP server is running is inaccesible from non-controlled and non-trusted networks and that network logons are tightly controlled. If possible, use secure IP, which may involve some hardware upgrades.

- if IDCs are not in use, turn off the FTP service (by ensuring a server is not marked as an 'Internet Server' - see above) and/or block FTP traffic at the firewall.

The recommendations above still stand, but in addition we recommend customers still requiring to run IDCs and FTP to also upgrade to version 7.1.

Release 7.1 of CitectSCADA (Q4 2008) contains an updated version of the FTP server with additional security features. These features remove the ability to attempt a DOS or memory leak attack, and also address an issue with a hardcoded username and password [v7.0 SP1 and v7.1+ only].

Alternatively, please install an updated version of the FTP server for your version of CitectSCADA, which will be made available shortly from Citect Support as a separate executable file. Service Pack 1 for CitectSCADA v7.0, planned for Q4 2008, will also contain the relevant updates.

If you have any questions or concerns, please contact our support department in the first instance.

[Credits: our thanks goes to Netragard for their help in identifying the above issues and working with us on recommended actions]

SCADA and Process Control Network Security

Administrator — Sat, 20 Sep 2008 02:27:00 GMT

Abstract:

Products: CitectSCADA / Vijeo Citect / CitectFacilities

Versions: All

A security vulnerability has been found in CitectSCADA which could expose the system to a buffer overflow attack.

The issue affects customers running ODBC by targeting an open port (20222) which can cause the system to crash, opening up the possibility of arbitrary code execution.

This vulnerability has been patched for version 6.0A, 6.1A, 6.1B, and version 7.0 of CitectSCADA. Please see the information below with reference to specific hotfix numbers, or contact our support department for further information. For customers not requiring ODBC connectivity we recommend closing port 20222 in addition to applying the relevant patch.

Patch references:

7.0 Patch is HF700R138255
Bug 38255 - Security vulnerability on citect port 20222 (ODBC port).

6.1B Patch is HF610B38255
Bug 38255 - Security vulnerability on citect port 20222 (ODBC port).

6.1A Patch is HF610A38255

Bug 38255 - Security vulnerability on citect port 20222 (ODBC port).

6.0A Patch is HF600A39160 (yes)

Bug 38255 - Security vulnerability on citect port 20222 (ODBC port)

[note, the hotfixes have been re-tested following the publication of metasploit code designed to target this vulnerability. We can confirm that the fixes will work against this code. Also note that closing port 20222 in itself will also work]

To obtain Security Hotfixes contact Citect support

For further information please see our website, contact support or your local Citect representative.

Further general information:

The following advice is communicated for the benefit and enhancement of the use of our software.

CitectSCADA is not designed to reside on a public network.

We recommend robust protection which may include firewall, intrusion detection systems, VPN and segmentation between the enterprize network and the internet to prevent unauthorized communications to your servers.

Most importantly, we advice that process control networks which typically use open, published communication protocols, should not be accessible from a public network.

Further information is provided in the whitepaper that can be download from our website Technical Whitepaper on SCADA system security.

Additional information on the security and protection of SCADA and PCN is currently available through several established government associated sources such as:

USA
US-CERT: United States Computer Emergency Readiness Team

Europe
ENISA: European Network Information Security Agency

UK
GovCertUK: Computer Emergency Response Team
(previous responsibility with NISCC: National Infrastructure Security Co-ordination Centre)

CPNI: Centre for the Protection of National Infrastructure
SCADA Security publication

Australia
TISN: Trusted Information Sharing Network
SCADA Security publication

Further sources of information such as, standards association publications, papers and references can been found within the above links.