Detections
Analytics

ICCP/COTP (ISO 8073) Protocol Detection

high Nessus Plugin ID 23811

Language:

Synopsis

COTP (ISO 8073) is running on the host and may be part of an ICCP server, MMS application, or substation automation device that uses IEC61850 / UCA.

Description

The ICCP stack (and other protocols such as MMS and IEC 61850) include ISO 8073 (RFC 905) at the Transport Layer. ISO 8073 specifies the Connection Oriented Transport Protocol (COTP) that uses a pair of user configurable 16-bit numeric, or in some cases ASCII string values, to identify client endpoints called Transport Service Access Points (TSAPs).

Note that ICCP by itself does not offer protection against eavesdropping, spoofing, man-in-the-middle, and similar attacks.

Solution

Either limit traffic to this port to authorized hosts or upgrade to Secure ICCP, which protects the basic protocol with SSL / TLS encryption and digital certificates.

See Also

https://wiki.wireshark.org/COTP

http://www.nessus.org/u?672d06fe

Plugin Details

Severity: High

ID: 23811

File Name: scada_iccp_cotp_detect.nbin

Version: 1.79

Type: remote

Family: SCADA

Published: 12/11/2006

Updated: 3/19/2024

Asset Inventory: true

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 7.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:W/RC:C