Adam Crain

**Name of the Vulnerable Software and Affected Versions** Siemens ETA4 firmware versions prior to Revision 08 **Description** The issue allows specially crafted packets sent to Port 2404/TCP to cause the affected device to go into defect mode, resulting in a Denial-of-Service. A cold start might be required to recover the system. **Recommendations** For versions prior to Revision 08, update the firmware to Revision 08 or later to resolve the issue. As a temporary workaround, consider restricting access to Port 2404/TCP to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Triangle MicroWorks SCADA Data Gateway versions prior to 3.00.0635 **Description** The issue allows physically proximate attackers to cause a denial of service due to excessive data processing. This can be achieved via a crafted DNP request over a serial line. **Recommendations** For versions prior to 3.00.0635, update to version 3.00.0635 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OSIsoft PI Interface versions prior to 3.1.2.54 for DNP3 **Description** The issue allows remote attackers to cause a denial of service, resulting in the shutdown of the interface, by sending a crafted TCP packet. **Recommendations** For versions prior to 3.1.2.54, update to version 3.1.2.54 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OSIsoft PI Interface versions prior to 3.1.2.54 for DNP3 **Description** The issue allows physically proximate attackers to cause a denial of service, resulting in the shutdown of the interface, by sending crafted input over a serial line. **Recommendations** For versions prior to 3.1.2.54, update to version 3.1.2.54 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MatrikonOPC SCADA DNP3 OPC Server versions 1.2.2.0 and earlier **Description** The issue allows remote attackers to cause a denial of service, resulting in an infinite loop, by sending a malformed DNP3 packet. **Recommendations** For versions 1.2.2.0 and earlier, update to a version later than 1.2.2.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** NovaTech Orion Substation Automation Platform OrionLX DNP Master versions 1.27.38 and earlier NovaTech Orion Substation Automation Platform OrionLX DNP Slave versions 1.23.10 and earlier NovaTech Orion5/Orion5r DNP Master versions 1.27.38 and earlier NovaTech Orion5/Orion5r DNP Slave versions 1.23.10 and earlier **Description** The issue allows remote attackers to cause a denial of service, resulting in a driver crash and process restart, via a crafted DNP3 TCP packet. **Recommendations** For NovaTech Orion Substation Automation Platform OrionLX DNP Master version 1.27.38 and earlier, update to a version that fixes the issue. For NovaTech Orion Substation Automation Platform OrionLX DNP Slave version 1.23.10 and earlier, update to a version that fixes the issue. For NovaTech Orion5/Orion5r DNP Master version 1.27.38 and earlier, update to a version that fixes the issue. For NovaTech Orion5/Orion5r DNP Slave version 1.23.10 and earlier, update to a version that fixes the issue.

**Name of the Vulnerable Software and Affected Versions** NovaTech Orion Substation Automation Platform OrionLX DNP Master versions 1.27.38 and earlier NovaTech Orion Substation Automation Platform OrionLX DNP Slave versions 1.23.10 and earlier NovaTech Orion5/Orion5r DNP Master versions 1.27.38 and earlier NovaTech Orion5/Orion5r DNP Slave versions 1.23.10 and earlier **Description** The issue allows physically proximate attackers to cause a denial of service, resulting in a driver crash and process restart, via crafted input over a serial line. **Recommendations** For NovaTech Orion Substation Automation Platform OrionLX DNP Master version 1.27.38 and earlier, update to a version that addresses the issue. For NovaTech Orion Substation Automation Platform OrionLX DNP Slave version 1.23.10 and earlier, update to a version that addresses the issue. For NovaTech Orion5/Orion5r DNP Master version 1.27.38 and earlier, update to a version that addresses the issue. For NovaTech Orion5/Orion5r DNP Slave version 1.23.10 and earlier, update to a version that addresses the issue.

**Name of the Vulnerable Software and Affected Versions** Elecsys Director Gateway devices with kernel 2.6.32.11ael1 and earlier **Description** The issue allows remote attackers to cause a denial of service, resulting in CPU consumption and communication outage, via crafted input to the DNP3 service in the Outstation component. **Recommendations** For kernel versions 2.6.32.11ael1 and earlier, consider disabling the DNP3 service in the Outstation component as a temporary workaround to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SubSTATION Server versions 2.7.0033 through 2.8.0106 **Description** The issue concerns the DNP3 Slave service, which allows remote attackers to cause a denial of service. This can be achieved through unspecified vectors, resulting in an unhandled exception and process crash. **Recommendations** For versions 2.7.0033 through 2.8.0106, consider disabling the DNP3 Slave service as a temporary workaround until a patch is available. Restrict access to the service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Triangle MicroWorks SCADA Data Gateway versions 2.50.0309 through 3.00.0616 DNP3 .NET Protocol components versions 3.06.0.171 through 3.15.0.369 DNP3 C libraries versions 3.06.0000 through 3.15.0000 **Description** The issue allows physically proximate attackers to cause a denial of service, resulting in an infinite loop, via crafted input over a serial line. **Recommendations** For Triangle MicroWorks SCADA Data Gateway versions 2.50.0309 through 3.00.0616, update to a version outside of this range to resolve the issue. For DNP3 .NET Protocol components versions 3.06.0.171 through 3.15.0.369, update to a version outside of this range to resolve the issue. For DNP3 C libraries versions 3.06.0000 through 3.15.0000, update to a version outside of this range to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Triangle MicroWorks SCADA Data Gateway versions 2.50.0309 through 3.00.0616 DNP3 .NET Protocol components versions 3.06.0.171 through 3.15.0.369 DNP3 C libraries versions 3.06.0000 through 3.15.0000 **Description** The issue allows remote attackers to cause a denial of service, resulting in an infinite loop, via a crafted DNP3 TCP packet. **Recommendations** For Triangle MicroWorks SCADA Data Gateway versions 2.50.0309 through 3.00.0616, update to a version outside of this range to resolve the issue. For DNP3 .NET Protocol components versions 3.06.0.171 through 3.15.0.369, update to a version outside of this range to resolve the issue. For DNP3 C libraries versions 3.06.0000 through 3.15.0000, update to a version outside of this range to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Software Toolbox TOP Server versions prior to 5.12.140.0 **Description** The issue allows remote attackers to cause a denial of service via crafted DNP3 packets to TCP port 20000, and physically proximate attackers to cause a denial of service via crafted input over a serial line, resulting in a master-station infinite loop. **Recommendations** For versions prior to 5.12.140.0, update to version 5.12.140.0 or later to resolve the issue. As a temporary workaround, consider restricting access to TCP port 20000 and limiting physical access to the serial line to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** KEPServerEX Communications Platform versions prior to 5.12.140.0 **Description** The issue allows remote attackers to cause a denial of service via crafted DNP3 packets to TCP port 20000, and physically proximate attackers to cause a denial of service via crafted input over a serial line, resulting in a master-station infinite loop. **Recommendations** For versions prior to 5.12.140.0, update to version 5.12.140.0 or later to resolve the issue. As a temporary workaround, consider restricting access to TCP port 20000 and limiting physical access to the serial line to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Schweitzer Engineering Laboratories (SEL) SEL-2241, SEL-3505, and SEL-3530 RTAC master devices **Description** The issue allows remote attackers to cause a denial of service, resulting in an infinite loop, by sending a crafted DNP3 TCP packet. **Recommendations** For SEL-2241, SEL-3505, and SEL-3530 RTAC master devices, consider restricting access to DNP3 TCP packets until a fix is available. As a temporary workaround, consider implementing network traffic filtering to block crafted DNP3 TCP packets. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Schweitzer Engineering Laboratories (SEL) SEL-2241, SEL-3505, and SEL-3530 RTAC master devices **Description** The issue allows physically proximate attackers to cause a denial of service, resulting in an infinite loop, via crafted input over a serial line. **Recommendations** For SEL-2241, SEL-3505, and SEL-3530 RTAC master devices, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IOServer drivers version 1.0.19.0 **Description** The issue allows remote attackers to cause a denial of service, resulting in an infinite loop, or obtain unspecified control by sending crafted data to the TCP port 20000. **Recommendations** For IOServer drivers version 1.0.19.0, consider restricting access to TCP port 20000 until a patch is available. As a temporary workaround, disabling the DNP3 driver may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.