Multiple issues in the IEC 60870-5-104 protocol could allow an unauthenticated, remote attacker to spoof communications or exploit other issues on the targeted system.
The issues in the affected protocol are due to insecure transmission and insufficient sanitization of the following:
- 32-bit string
- Packed output circuit information of protection equipment with time tag
- Single command, double command or regulating step command
- Set-point command
- Packed start events of protection equipment with time tag
- End of initialization
- Interrogation command
- Counter interrogation command
- APCI length
- Numbered supervisory function (S Format) message
- Unnumbered control function (U Format) message
- Information transfer (I Format) message header
- Unsupported ADSU
An attacker could exploit these issues by sending malicious network communications to the affected software. An exploit could allow an attacker to spoof the communications or exploit other issues resulting from improper processing of the protocol communications by the targeted system.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit these issues.
No vendor has confirmed these issues. Software updates are not available.