SB2014053101 - Multiple vulnerabilities in SCADA Data Gateway

Description

This security bulletin contains information about 2 vulnerabilities.

1) Input validation error (CVE-ID: CVE-2014-2342)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Triangle MicroWorks SCADA Data Gateway before 3.00.0635 allows remote attackers to cause a denial of service (excessive data processing) via a crafted DNP3 packet.

2) Input validation error (CVE-ID: CVE-2014-2343)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Triangle MicroWorks SCADA Data Gateway before 3.00.0635 allows physically proximate attackers to cause a denial of service (excessive data processing) via a crafted DNP request over a serial line.

Remediation

Install update from vendor's website.

References

• http://ics-cert.us-cert.gov/advisories/ICSA-14-149-01
• http://www.trianglemicroworks.com/products/scada-data-gateway/what%27s-new