Sielco Sistemi Fixes Winlog Holes

Wednesday, March 19, 2014 @ 05:03 PM gHale


While it took just under two years, there is an update Sielco Sistemi Winlog multiple vulnerabilities first published in July, 2012.

Sielco Sistemi produced a new release that corrects all identified vulnerabilities in the application discovered by researchers Carlos Mario Penagos Hollmann of IOActive, Michael Messner, and Luigi Auriemma, according to a report on ICS-CERT. Hollmann and Auriemma tested the release to validate that it resolves the remotely exploitable vulnerabilities. Exploit code is publicly available for these vulnerabilities.

The following Sielco Sistemi products suffer from the issues:
• Winlog Pro SCADA, all versions prior to 2.07.18
• Winlog Lite SCADA, all versions prior to 2.07.18.

RELATED STORIES
Siemens Patches SIMATIC S7-1500 Holes
SCADA File Parsing Vulnerability
Yokogawa Patches CENTUM CS 3000 Holes
Schneider OFS Buffer Overflow

Successful exploitation of these vulnerabilities could lead to a program crash, information leakage, or arbitrary code execution.

Sielco Sistemi is an Italy-based company that creates supervisory control and data acquisition/human-machine interface (SCADA/HMI) software and hardware products.

Winlog Lite SCADA is a demo version of the Winlog Pro SCADA/HMI system. Winlog Pro SCADA sees use across several sectors including manufacturing, public utilities, telecommunications, and others. Sielco Sistemi products deploy mainly in Italy, Turkey, Canada, U.S., Indonesia, and Spain.

By sending malicious specially crafted packets to Port 46824/TCP, an attacker can overflow a memory buffer on the target system. Errors in RunTime.exe and TCPIPS_Story.dll can end up exploited by these packets to cause the buffer overflow. The packets can also cause a boundary error in RunTime.exe causing the buffer overflow. This can allow the attacker to cause a denial-of-service condition leading to a crash or possible execution of arbitrary code.

CVE-2012-3815 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

Unauthorized users can access and read files on the system that Winlog is running by causing an input validation error. An attacker can send a malicious specially formed packet to Port 46824/TCP to allow unauthorized access to the system, which may lead to information leakage.

CVE-2012-4353 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

By sending malicious specially crafted packets that point outside of the defined array, an attacker can cause a crash of the system. By using 32-bit operation coding, a file pointer outside the array could execute arbitrary code and cause a denial-of-service condition leading to a crash.

CVE-2012-4354 and CVE-2012-4355 are the case numbers assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

An input validation error when processing certain requests can end up exploited to disclose arbitrary files via directory traversal sequences sent in a specially crafted packet to TCP Port 46824.

CVE-2012-4356 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

By sending a malicious specifically formed packet, unauthorized attackers are able to write outside of the existing buffer allocation. The error when allocating when processing these malicious packets can end up exploited to reference an invalid memory location. This exploit could cause a crash of the system.

CVE-2012-4358 and CVE-2012-4359 are the case numbers assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

Some of the preceding vulnerability details came from a Secunia Advisory SA49395.

Exploits that target this vulnerability are publicly available and an attacker with a low-skill level would be able to exploit these vulnerabilities.

Sielco Sistemi created an update to fix these vulnerabilities. This update, Winlog Pro SCADA and Winlog Lite SCADA Version 2.07.18, is available for customer download.



Leave a Reply

You must be logged in to post a comment.