Nanda Automation Technology AT_NA2000 PLC Denial-of-Service Vulnerability via TCP RST Packet Processing

A denial-of-service vulnerability has been identified in the AT_NA2000 PLC from Nanda Automation Technology. The issue arises from the PLC's handling of TCP RST packets, where it accepts a broad range of sequence numbers. Instead of requiring the sequence number to precisely match the expected value, the PLC allows numbers to fall within the current receive window, violating RFC 5961. This vulnerability enables attackers to send multiple random TCP RST packets that exploit the accepted sequence number range, disrupting normal connections and causing a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where normal TCP connections to the PLC are interrupted, causing disruption in communication and potentially impacting any automated processes relying on that connection.

Reproduction

The vulnerability can be reproduced by establishing a TCP connection with the AT_NA2000 PLC and then sending RST packets with sequence numbers that fall within the accepted range of the current receive window. This can be automated with a Python script that generates RST packets based on the window size, effectively traversing the entire sequence number space to disconnect the TCP connection.