Denial of Service vulnerability discovered in Triconex TriStation Software Suite Emulator

Applied Risk ICS Security Consultant Tom Westenberg discovered a DoS vulnerability in an emulated version of the Triconex TriStation Software Suite.

Triconex is a Schneider Electric brand which supplies systems and products in regards to critical control and industrial safety-shutdown technology. The Triconex Emulator is software that allows users to emulate and execute TriStation 1131 applications without connecting to a Tricon, Trident, or Tri-GP controller.

Using the Emulator, users can test applications in an offline environment, without exposing their online processes to potential application errors. In a live environment, these controllers would provide safety functions to protect people and production assets in industries of Oil & Gas, Chemicals, Power and more.

This vulnerability can be triggered by sending a specifically crafted TSAA packet(s) over a network. These packets are sent to the victim using UDP port 1500. Multiple unique packets were identified to cause DoS vulnerabilities.

Communication settings within Triconex Emulator allow configuration of different Node Numbers. The specifically crafted TSAA packet is required to match the victim’s Node Number for successful exploitation.

There are no known public exploits which target this vulnerability at this time. Applied Risk has calculated a high CVSSv3 base score of 7.5 for this vulnerability; the CVSS vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.