Pro-face Pro-Server EX Fix

Thursday, July 5, 2012 @ 05:07 PM gHale


There is an update that resolves the four confirmed vulnerabilities in the Pro-face Pro-Server EX application involving an invalid memory access, integer overflow, unhandled exception, and memory corruptions.

Each of these vulnerabilities is remotely exploitable, and public exploits target these vulnerabilities.

RELATED STORIES
Sielco Sistemi Winlog Holes
GE Proficy Vulnerabilities
WAGO Mitigates Vulnerabilities
Wonderware Patches Unicode Hole

ICS-CERT coordinated these vulnerabilities with the development and manufacturing company of Pro-face branded products, Digital Electronics. Independent researcher Luigi Auriemma first discovered the holes.

Digital Electronics reported the vulnerabilities affect the following products: Data management software Pro-Server EX versions 1.00.00 through 1.30.00, and the HMI screen editor and logic programming software GP-Pro EX and related software WinGP Versions 2.00.00 through 3.01.100.

Exploitation of the vulnerabilities could result in a denial of service (DoS) or arbitrary code execution. An attacker with a moderate skill level would be able to exploit these vulnerabilities.

Pro-face is HMI-related hardware and software product found in a wide range of industries such as oil and gas, food and beverage, and water and wastewater industries. Pro-face products see use throughout the world, with the highest number sold in Japan and the Asia Pacific area. Pro-Server EX is a data management server that collects information generated by a PLC system through an HMI unit and generates reports, company officials said. In February 2001, Pro-face America, Inc., a subsidiary of Digital Electronics Corporation, purchased Xycom Automation.

A specially crafted packet can cause an integer overflow that leads to a buffer overflow in an arbitrary memory location. Out-of-bounds memory access may result in the corruption of memory or instructions that may lead to a crash. The execution of arbitrary code may be possible. Other attacks leading to lack of availability may also be possible. CVE-2012-3792 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.

In addition, it is possible to exploit an integer overflow to crash the server which could be a denial of service. CVE-2012-3793 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

It is possible to terminate the server because of an unhandled exception. Exploitation of this vulnerability will cause a denial-of-service condition. CVE-2012-3794 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

Additionally, an attacker may crash the server by copying a large amount of memory from the target system. CVE-2012-3795 and CVE-2012-3796 is the number assigned to these vulnerabilities, which has a CVSS v2 base score of 5.8.

An attacker is able to write more data to a memory location than allocated due to a lack of size checks, which would likely result in a system crash. CVE-2012-3797 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

Digital Electronics released patch modules on its Web site. The patch module prevents the Pro-Server EX and WinGP from an attack using inaccurate packets.

Digital Electronics recommends the following in addition to applying the patch:
• Review all network configurations for control system devices.
• Remove unnecessary PCs from control system networks.
• Remove unnecessary applications from control system networks.



Leave a Reply

You must be logged in to post a comment.