Wonderware Vulnerability Patch Posted

Monday, March 7, 2011 @ 04:03 PM gHale

There is a buffer overflow vulnerability in the Wonderware InBatch and I/A Series Batch software products (all supported versions), according to the Industrial Control System Cyber Emergency Response Team (ICS-CERT).

The service listening on TCP Port 9001 is vulnerable to a buffer overflow that could cause denial of service (DoS) or the possible execution of arbitrary code, according to an independent security researcher’s report. This vulnerability is remotely exploitable and exploit code is publicly available.

Invensys has validated the researcher’s claim and has released a patch for this vulnerability. You can download the ICS-CERT validated patch at the Invensys Cyber Security Updates page.

“We became aware of this vulnerability in December 2010 when it was released to the public,” said Ernest A. Rakaczky, portfolio program manager, Control Systems — Cyber Security for Invensys Operations Management. “Invensys quickly notified ICS-CERT and US-CERT to ensure this vulnerability was logged and tracked. We then quickly worked with them to put a mitigation in place within two days. Within 60 days we had created a patch that would help users overcome this vulnerability related to Wonderware InBatch and I/A Series Batch.”

Rakaczky said Invensys’ goals are to respond to and resolve these issues as quickly as possible, collaborating with ICS-CERT and US-CERT.

This vulnerability affects all supported versions of the Wonderware InBatch Server and I/A Batch Server in the InBatch and I/A Batch products. The following identifies the affected supported products:

Product and Component
Wonderware InBatch 8.1 –‐ InBatch Server (all versions)
Supported Operating System
Windows XP Professional, Windows 2000 Server, Windows Server 2003
Security Impact
Denial of Service
Severity Rating
Medium

Product and Component
Wonderware InBatch 9.0 –‐ InBatch Server (all versions)
Supported Operating System
Windows XP Professional, Windows Server 2003
Security Impact
Denial of Service
Severity Rating
Medium

Product and Component
I/A Series Batch 8.1 –‐I/A Series Batch Server (all versions)
Supported Operating System
Windows Server 2003 Server R2, Windows XP Professional SP2
Security Impact
Denial of Service
Severity Rating
Medium

Any users running earlier versions should contact their support provider for guidance.

While a successful exploit of the buffer overflow could allow a denial of service (DoS) or arbitrary code execution, the specific impact to an individual organization depends on factors unique to the organization, according to the ICS-CERT alert.

ICS-CERT recommends organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.

Wonderware InBatch and I/A Series Batch products develop batch management capabilities for control system applications that run on the Microsoft Windows platforms, according to Invensys.

Wonderware InBatch and I/A Series Batch software see use in a variety of batching processes including pharmaceutical production; food and beverage production, including breweries and milk production, and various chemical sector batching processes. Estimates show InBatch software deployed in Europe at 60%, North America at 30%, and other areas around the world 10%. I/A Series Batch software is in use in North America at the 60% level, and Europe at 40%.

According to the researcher’s report, the InBatch service listening on TCP Port 9001 is vulnerable to a buffer overflow that could allow a DOS or possibly lead to arbitrary code execution. This vulnerability is remotely exploitable and exploit code has been released.

To exploit this vulnerability, an attacker would need an intermediate skill level. An exploit would require development of a malicious application with access to TCP Port 9001 on the batch server and an understanding of the protocol used on that port. The malicious application would need to send a partially valid message that overflows the internal buffer.

Invensys has internally assessed the vulnerability using the Vulnerability Scoring System (CVSS) and has determined this vulnerability rates an Overall CVSS score of 5.5, using the CVSS Version 2.0 calculator.

ICS-CERT and Invensys recommend users of Wonderware InBatch and I/A Series Batch take the following mitigation steps:
• Install the patch located at the Invensys Cyber Security Updates page.
• Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
• Place control system networks and devices behind firewalls and isolate them from the business network. Restrict access to TCP Port 9001. If remote access is required, utilize secure methods such as Virtual Private Networks (VPNs).