Third Party Bug Fixed for Wonderware

Friday, February 22, 2013 @ 01:02 PM gHale


There are now mitigations for multiple holes that affect third-party software integrated into Invensys’ Wonderware Intelligence product, according to a report on ICS-CERT.

The remotely exploitable vulnerabilities are input validation and permissions, privileges, and access controls vulnerabilities in Ruby on Rails discovered by researcher Aaron Patterson. Exploitation of these vulnerabilities could allow loss of availability, integrity, and confidentiality.

RELATED STORIES
Fix Ready for Gateway Server
Tridium Mitigates Vulnerability
SAS: Zero Day Lives On
FBI: Backdoor Free for Hackers

Ruby on Rails is an open source Web framework used by Tableau Server Software, which is a third-party component, shipped with Invensys Wonderware Intelligence.

An attacker leveraging these vulnerabilities could affect Wonderware Intelligence products deployed in the manufacturing, energy, water and wastewater, healthcare, and building automation sectors.

Wonderware produced a new product version and confirmed that it resolves the reported vulnerabilities.

Tableau Server of Wonderware Intelligence up to version 1.5 SP1 (that corresponds to Tableau Server version up to 7.0.12) suffers from the issues.

Successful attacks could result in unauthorized disclosure of information, unauthorized modification, and disruption of service in an unsecure deployment.

Wonderware is real-time operations management software distributed by Invensys. Invensys provides automation and information technologies and systems.

Wonderware Intelligence deploys worldwide across several industries including manufacturing, building automation, water and wastewater, healthcare, and the energy sector.

Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation. This difference in parameter handling allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain “[nil]” values.

CVE-2013-0155 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.4.

Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values. By leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, an attacker can conduct object-injection attacks and execute arbitrary code or cause a denial of service involving nested XML entity references.

CVE-2013-0156 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.

Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser. The improperly converted data allow a remote attacker to execute arbitrary code, conduct SQL injection attacks, or bypass authentication.

CVE-2013-0333 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.

No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.

Invensys recommends customers using any version of Wonderware Intelligence up to 1.5 SP1 to apply the security update to all systems that installed the Tableau Dashboard Server. The process consists of uninstalling the Dashboard Server and installing the new version. The Server configuration and published dashboards will end up preserved during the installation of the new version.

Customers currently using a version older than 1.5 SP1 will need to obtain a new license.



Leave a Reply

You must be logged in to post a comment.