9.4 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:N/A:C
0.003 Low
EPSS
Percentile
65.5%
This advisory was originally posted to the US-CERT secure Portal library on April 16, 2013, and is now being released to the ICS-CERT Web page.
Independent researcher Dillon Beresford of Cimation has identified vulnerabilities in two MatrikonOPC products; MatrikonOPC A&E Historian and MatrikonOPC Security Gateway. MatrikonOPC has produced patches that mitigate these vulnerabilities. Mr. Beresford has tested the patches to validate that they resolve the vulnerabilities.
These vulnerabilities could be exploited remotely.
The following MatrikonOPC A&E Historian and MatrikonOPC Security Gateway versions are affected:
By sending a specially crafted packet to Port 8543/TCP when the Health Monitor service is running, an attacker can exploit a directory traversal vulnerability and read any file on the server running the Historian Health Monitor service. When an attacker accesses a file on the affected system using this directory traversal mechanism, the file may be deleted by the MatrikonOPC software. MatrikonOPC has notified all affected customers.
The vulnerability that affects MatrikonOPC Security Gateway can cause a temporary denial of service by crashing a utility provided with, and used for configuration of, the OPC Security Gateway with an unhandled exception. This is accomplished by sending a reset command to Port 30544/TCP while the connection is active. Although this vulnerability can be remotely exploited, in practical terms the potential impact is relatively low. No arbitrary code exploit is possible, and the OPC Security Gateway continues to function.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
MatrikonOPC is a US-based company whose products serve the oil and gas, mining, power and utilities, petrochemical, and other industries. MatrikonOPC products are primarily used in the US, Canada, and UK.
The first affected product, MatrikonOPC A&E Historian, records alarms and events that occur within an ICS OPC network. The MatrikonOPC A&E Historian includes a Health Monitor service that allows the user to monitor the health and performance of the Historian’s Web server and servlets.
The second affected product, the MatrikonOPC Security Gateway provides a link between an ICS OPC network and external networks to provide traffic isolation and enforce security policies. This product can be used in OPC network applications and is installed mainly in the US, Canada, and the UK.
The MatrikonOPC A&E Historian incorporates a Health Monitor service that publishes a Web interface to allow users to monitor control components and activities on the ICS network. This Web interface has a vulnerability where a user can access system files by modifying the URL in a browser.
CVE-2013-0673NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0673 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 9.4 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:C/I:N/A:C), Web site last visited April 26, 2013.
A valid TCP/IP reset packet (RST) sent to Port 30544/TCP causes the configuration utility to crash with an unhandled exception.
CVE-2013-0666NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0666 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 5.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:P).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P), Web site last visited April 26, 2013.
These vulnerabilities could be exploited remotely.
No known public exploits specifically target these vulnerabilities.
An attacker with a low skill would be able to exploit these vulnerabilities, if the devices are exposed to the Internet.
MatrikonOPC has produced patches that mitigate these vulnerabilities. The patches can be downloaded and installed using the following process:
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B—Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
www.matrikonopc.com/login/index.aspx
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=MatrikonOPC%20Multiple%20Product%20Vulnerabilities+https://www.cisa.gov/news-events/ics-advisories/icsa-13-106-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-13-106-01&title=MatrikonOPC%20Multiple%20Product%20Vulnerabilities
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-13-106-01
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-13-106-01
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=MatrikonOPC%20Multiple%20Product%20Vulnerabilities&body=www.cisa.gov/news-events/ics-advisories/icsa-13-106-01