Login Sign Up

CVE-2020-13559

7.5 HIGH
Denial of Service

📋 TL;DR

A denial-of-service vulnerability exists in FreyrSCADA IEC-60879-5-104 Server Simulator's traffic-logging functionality where specially crafted packets can crash the service. This affects organizations using FreyrSCADA IEC-60879-5-104 Server Simulator version 21.04.028 for industrial control system testing and development.

💻 Affected Systems

Products:
  • FreyrSCADA IEC-60879-5-104 Server Simulator
Versions: 21.04.028
Operating Systems: Windows (primary platform for SCADA systems)
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects the traffic-logging functionality of the IEC 60870-5-104 protocol implementation.

📦 What is this software?

Iec 60879 5 104 Server Simulator by Freyrscada

View all CVEs affecting Iec 60879 5 104 Server Simulator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of the SCADA simulator, potentially affecting testing/development environments and causing operational impacts if used in production-like scenarios.

🟠

Likely Case

Service crash requiring manual restart of the simulator application, disrupting testing and development activities.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring in place to detect and block malicious packets.

🌐 Internet-Facing: MEDIUM - While SCADA systems should not be internet-facing, misconfigurations could expose this vulnerability to remote attackers.
🏢 Internal Only: HIGH - Industrial control system environments often have critical infrastructure where even temporary denial of service can have significant consequences.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires sending specially crafted packets to the vulnerable service, which is relatively straightforward for attackers familiar with IEC 60870-5-104 protocol.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check with vendor for updated version

Vendor Advisory: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1174

Restart Required: Yes

Instructions:

1. Contact FreyrSCADA vendor for patch information
2. Apply vendor-provided patch
3. Restart the FreyrSCADA IEC-60879-5-104 Server Simulator service
4. Verify the fix by testing with normal traffic

🔧 Temporary Workarounds

Disable traffic logging

windows

Temporarily disable the vulnerable traffic-logging functionality if not essential for operations

Check FreyrSCADA documentation for logging configuration options

Network segmentation

all

Isolate the simulator from untrusted networks using firewalls

Configure firewall rules to restrict access to TCP port 2404 (standard IEC 60870-5-104 port)

🧯 If You Can't Patch

  • Implement strict network access controls to limit which systems can communicate with the simulator
  • Deploy intrusion detection systems to monitor for anomalous IEC 60870-5-104 traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check if running FreyrSCADA IEC-60879-5-104 Server Simulator version 21.04.028 with traffic logging enabled

Check Version:

Check application version through FreyrSCADA interface or Windows Programs and Features

Verify Fix Applied:

Test with normal IEC 60870-5-104 traffic after patch application to ensure service remains stable

📡 Detection & Monitoring

Log Indicators:

  • Unexpected service crashes or restarts
  • Error messages related to traffic logging or packet processing

Network Indicators:

  • Malformed IEC 60870-5-104 packets targeting port 2404
  • Unusual traffic patterns to the simulator

SIEM Query:

source="freyrscada" AND (event_type="crash" OR event_type="error") OR destination_port=2404 AND packet_size_anomaly=true

📊 Metadata

CVE ID: CVE-2020-13559
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1024
Published: January 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON