Fixes for Sielco Sistemi Holes

Wednesday, August 1, 2012 @ 03:08 PM gHale


Sielco Sistemi created a new release that corrects all vulnerabilities in its Winlog application.

Researcher Carlos Mario Penagos Hollmann of IOActive, who found the vulnerabilities along with Michael Messner and Luigi Auriemma, tested the release to validate that it resolves the remotely exploitable vulnerabilities, according to a report on ICS-CERT.

RELATED STORIES
Hot Fix for ICONICS Zero Day
Siemens SIMATIC DoS Holes
Siemens Patches Dll Hijacking Hole
Wonderware Patches Dll Hijack

Exploit code is publicly available for these vulnerabilities.

The following Sielco Sistemi products suffer from the issue: Winlog Pro SCADA, all versions prior to 2.07.18, and Winlog Lite SCADA, all versions prior to 2.07.18.

Successful exploitation of these vulnerabilities could lead to a program crash, information leakage, or arbitrary code execution.

Sielco Sistemi is an Italy-based company that creates supervisory control and data acquisition (SCADA)/human-machine interface (HMI) software and hardware products.

Winlog Lite SCADA is a demo version of the Winlog Pro SCADA/HMI system. Winlog Pro SCADA sees use across several sectors including manufacturing, public utilities, telecommunications, and others. Sielco Sistemi products are mainly in Italy, Turkey, Canada, U.S., Indonesia, and Spain.

By sending malicious specially crafted packets to Port 46824/TCP, an attacker can overflow a memory buffer on the target system. Errors in RunTime.exe and TCPIPS_Story.dll can suffer an exploit by these packets to cause the buffer overflow. The packets can also cause a boundary error in RunTime.exe causing the buffer overflow. This can allow the attacker to cause a denial-of-service condition leading to a crash or possible execution of arbitrary code. CVE-2012-3815 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

In addition, unauthorized users can access and read files on the system Winlog is running by causing an input validation error. An attacker can send a malicious specially formed packet to Port 46824/TCP to allow unauthorized access to the system, which may lead to information leakage. CVE-2012-3815 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

By sending malicious specially crafted packets that point outside of the defined array, an attacker can cause a crash of the system. By using 32-bit operation coding, a file pointer outside the array can execute arbitrary code and cause a denial-of-service condition leading to a crash. CVE-2012-3815 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

Also, by sending a malicious specifically formed packet, unauthorized attackers are able to write outside of the existing buffer allocation. The error when allocating when processing these malicious packets can suffer an exploit to reference an invalid memory location. This exploit could cause a crash of the system. CVE-2012-3815 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

An attacker with a low-skill level would be able to exploit these vulnerabilities.

Sielco Sistemi’s update, Winlog Pro SCADA and Winlog Lite SCADA Version 2.07.18, is available for customer download.



Leave a Reply

You must be logged in to post a comment.