OPTO 22 Clears Two Vulnerabilities

Friday, May 1, 2015 @ 06:05 PM gHale


OPTO 22 released new versions that mitigate two buffer overflow vulnerabilities in its PAC Project Professional, PAC Project Basic, OptoOPCServer, OptoDataLink, PAC Display Basic, and PAC Display Professional products, according to a report on ICS-CERT.

Ivan Sanchez from Nullcode Team, who discovered the vulnerabilities, tested the new versions to validate that they resolve the vulnerabilities. One of the two vulnerabilities is remotely exploitable.

RELATED STORIES
Moxa Fixes Buffer Overflow Hole
Schneider Mitigates VAMPSET Hole
Ecava Patches IntegraXor DLL Holes
Schneider Patches InduSoft, InTouch Holes

The following OPTO 22 products contain the Heap-buffer overflow vulnerability:
• PAC Project Professional, versions prior to Version R9.4006
• PAC Project Basic, versions prior to Version R9.4006
• PAC Display Basic, versions prior to Version R9.4f
• PAC Display Professional, versions prior to Version R9.4f
• OptoOPCServer, versions prior to Version R9.4c
• OptoDataLink, Version R9.4d and prior versions installed by PAC Project installer, versions prior to Version R9.4006

The following OPTO 22 products contain the Stack-buffer overflow vulnerability in OPCTest.exe:
• PAC Project Professional, versions prior to Version R9.4008
• PAC Project Basic, versions prior to Version R9.4008
• PAC Display Basic, versions prior to Version R9.4g
• PAC Display Professional, versions prior to Version R9.4g
• OptoOPCServer, Version R9.4c and prior versions installed by PAC Project installer, versions prior to Version R9.4008
• OptoDataLink, Version R9.4d and prior versions installed by PAC Project installer, versions prior to Version R9.4008

Successful exploitation of these vulnerabilities may allow an attacker to execute arbitrary code on the target system.

OPTO 22 is a Temecula, CA-based company that manufactures hardware and software products that link electrical and mechanical devices to networks and computers.

The affected product, OptoOPCServer, integrates control systems with PCs on an Ethernet network running OPC clients. The PAC Project Basic and PAC Project Professional software suites see use for industrial automation, remote monitoring, and data acquisition applications. The PAC Display Basic and PAC Display Professional software suites are HMI packages for building operator interface applications to communicate with the SNAP PAC System. OptoDataLink connects the SNAP PAC System with various database packages. According to OPTO 22, the affected products deployed across several sectors. OPTO 22 estimates these products see use primarily in North America.

In the case of the Heap-based buffer overflow, a vulnerable file in the affected products is susceptible to a buffer overflow condition that may allow remote code execution on the target system.

CVE-2015-1006 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.0.

In the case of the Stack-based buffer overflow, a specially crafted configuration file could end up used to cause a buffer overflow condition in the OPCTest.exe, which may allow remote code execution on the target system.

CVE-2015-1007 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.2.

No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit the heap-based buffer overflow vulnerability. Crafting a working exploit for the stack-based buffer overflow vulnerability would be difficult. Social engineering is mandatory to convince the user to accept the malformed configuration file. Additional user interaction would end up needed to load the malformed file. This decreases the likelihood of a successful exploit.

OPTO 22 addressed the heap-based buffer overflow vulnerability in the PAC Project installer, Version 9.4006, which installs the affected products. OPTO 22 released a customer notification that discusses the heap-based buffer overflow vulnerability.

The stack-based buffer overflow vulnerability ended up addressed in the PAC Project installer, Version 9.4008, by removing the diagnostic tool, OPCTest.exe, from the installed software in the affected products. OPTO 22 released a customer notification that discusses the stack-based buffer overflow vulnerability.

OPTO 22 suggests upgrading to the new product version, as soon as possible.



Leave a Reply

You must be logged in to post a comment.