Indusoft Produces Hotfix for Bug

Friday, March 8, 2013 @ 05:03 PM gHale


Indusoft created a fix that mitigates a directory traversal vulnerability in Indusoft Studio and Advantech Studio applications, according to a report on ICS-CERT.

Indusoft originally produced this product that ended up rebranded to Advantech Studio (both products share the vulnerability).

RELATED STORIES
Emerson Issues Controller Hotfix
Mitigation for Emergency Broadcast System
Report: Holes Not Vulnerabilities After All
Schneider Faces Product Bugs

This remotely exploitable vulnerability — discovered by independent researcher Nin3 who released proof-of-concept (PoC) exploit code without coordination with ICS-CERT, the vendor, or any other coordinating entity known to ICS-CERT – has publicly available attacks targeting this vulnerability.

The following product versions suffer from the issue:
• Advantech Studio V7.0 and previous
• Indusoft Studio V7.0 and previous

Successful exploitation of this vulnerability could allow an attacker to download arbitrary files from the target system.

Indusoft designed and maintains Advantech Studio, which is a collection of automation tools that includes components required to develop human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) system applications that run on various Windows platforms.

According to Advantech, Advantech Studio currently sees use at nearly 2,000 installations worldwide. Advantech Studio is in a variety of applications including energy, building automation, water and wastewater management, and manufacturing.

InduSoft products often integrate in as third-party components in other vendors’ products. Indusoft is a U.S.-based company that sells through distributors worldwide.

Advantech Studio contains a flaw in the CreateFileW function of the sub_401A90 routine in the NTWebServer.exe file. The issue occurs when handling an absolute path request, which may allow a remote attacker to gain access to arbitrary files.

CVE-2013-1627 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

An attacker with a low skill would be able to exploit this vulnerability.

Indusoft created a hotfix for this vulnerability. In order to install the hotfix, customers should send a request to support@indusoft.com. Indusoft will send the installation files and assist the customer through the installation process.



Leave a Reply

You must be logged in to post a comment.