ICCP/COTP TSAP Addressing Weakness

This script is Copyright (C) 2006-2011 Tenable Network Security, Inc.


Synopsis :

It is possible to determine a COTP TSAP value on the remote ICCP
server by trying possible values.

Description :

The ICCP stack (and other protocols MMS and IEC 61850) includes ISO
7073 (RFC 905) at the Transport Layer. ISO 7073 specifies the
Connection Oriented Transport Protocol (COTP) that includes a pair of
user configurable 16-bit numeric, or in some cases ASCII string
values, to identify client endpoints called Transport Service Access
Points (TSAP's).

The TSAP used in the host server was guessed by trying a sample of
possible values that are commonly used and easily attempted by
trial-and-error.

Solution :

Upgrade to Secure ICCP, select pseudorandom 16-bit value or restrict
the port to authorized hosts.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Family: SCADA

Nessus Plugin ID: 23812 ()

Bugtraq ID:

CVE ID: