CVE-2014-2345

Vulnerability

The vulnerability is an improper input validation (CWE-20) in the COPA-DATA zenon DNP3 NG driver (DNP3 master) versions 7.10 SP0 up to and including 7.11 SP0 build 10238, and the zenon DNP3 Process Gateway (DNP3 outstation) versions 7.11 SP0 build 10238 and prior [1][2]. The flaw resides in the handling of DNP3 packets received over TCP. By sending a specially crafted DNP3 packet, an attacker can trigger an infinite loop in the driver, leading to a process crash.

Exploitation

An attacker can exploit this vulnerability remotely by sending a single crafted DNP3 packet over TCP to an affected device. No authentication or prior access is required. The packet causes the DNP3 driver to enter an infinite loop, consuming CPU resources and eventually crashing the process [1][2].

Impact

Successful exploitation results in a denial-of-service (DoS) condition. The crash closes all communication connections and causes system instability, potentially disrupting SCADA operations in energy, water, and wastewater treatment environments [1][2]. No code execution or data compromise is reported.

Mitigation

COPA-DATA has produced an update that mitigates the vulnerability. Affected users should contact COPA-DATA support to obtain the patch [1][2]. No workaround is provided. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.