More SCADA, HMI Holes Found

Tuesday, February 14, 2012 @ 05:02 PM gHale

The good news is researchers continue to find holes which can allow companies the chance to patch problems, the bad news is these holes could end up being the low hanging fruit for attackers to hit a manufacturer.

Vulnerabilities continue to hit the cyber street as holes are found in SCADA and HMI programs.

Wonderware Patches Holes
No Dancing Around: Samba Shuts DoS Hole
Siemens Fixes for SIMATIC Holes
Siemens Default Password Issues

In one case, there is a RPC server vulnerability with proof-of-concept (PoC) exploit code affecting the Advantech BroadWin WebAccess software, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product.

The WebAccess software is vulnerable to an RPC exploit against the WebAccess network service on either Port 4592/TCP or 14592/TCP, the report said. This report, released by amisto0x07 and Z0mb1E, went out without coordination with either the vendor or ICS-CERT.

ICS-CERT notified Advantech, and while this is similar to a previous report filed by security researcher Rubén Santamarta, this exploit targets a different vulnerability in the RPC service. ICS-CERT issued this alert to provide early notice and to identify baseline mitigations for reducing risks to this and other attacks.

The report included vulnerability details and PoC exploit code for a missing authentication for critical function, which is remotely exploitable and could lead to possible remote code execution/denial of service (DoS).

Meanwhile, there are multiple DoS vulnerabilities in the Ing. Punzenberger COPA-DATA GmbH zenon HMI system.

ICS-CERT has coordinated with Ing. Punzenberger COPA-DATA GmbH, which produced an updated software release that resolves these vulnerabilities and Researcher Kuang-Chun Hung of the Security Research and Service Institute, Information and Communication Security Technology Center (ICST), who found the vulnerability. ICST tested the new release and verified it fully resolves these vulnerabilities.

The Ing. Punzenberger COPA-DATA GmbH zenon 6.51 SP0 suffers from the vulnerability. Successful exploitation of these vulnerabilities may allow an attacker to execute a DoS attack and potentially execute arbitrary code.

COPA-DATA GmbH, zenon is an HMI that offers a graphical visualization system that runs entirely under Windows, according to Ing. Punzenberger. The zenon product sees use by companies worldwide for equipment automation in the automotive, energy and infrastructure, food and beverage, and pharmaceutical industries.

The Ing. Punzenberger COPA-DATA GmbH distribution network includes offices in Austria (for Central and Eastern Europe), France, Germany, Italy, Korea, Portugal and Spain, Sweden, the UK, and the U.S.

A vulnerability exists that may allow an attacker to cause a DoS and possibly execute arbitrary code if the attacker sends a specially crafted packet to zenAdminSrv.exe on Port 50777/TCP.

The vendor assigned Reference Number 25240 to the available update and CVE-2011-4533 is the number assigned to this vulnerability.

A second vulnerability exists that could allow an attacker to crash the ZenSysSrv.exe service resulting in a DoS and possibly allow arbitrary code execution. This vulnerability can suffer from exploitation by connecting and disconnecting multiple times to the ZenSysSrv.exe service on Port 1101/TCP.

The vendor has assigned Reference Number 25212 to the available update and CVE-2011-4534 is the number assigned to this vulnerability.

An attacker with a low skill level can create the DoS; executing arbitrary code would require a more skilled attacker.

Ing. Punzenberger COPA-DATA GmbH recommends that customers take the following actions in order to prevent successful exploitation of these vulnerabilities:
• Properly configure network access to Ports 1101/TCP and 50777/TCP.
• Disable the ZenSysSrv.exe service. This service should only see use when necessary and disabled immediately after use.
• Install the Ing. Punzenberger COPA-DATA GmbH update. Customers can obtain the update for their systems from their local support source by referring to either Reference Number 25212 or 25240.

Leave a Reply

You must be logged in to post a comment.