Wonderware Patches Holes

Monday, February 13, 2012 @ 06:02 PM gHale


There are cross-site scripting (XSS) and write access violation vulnerabilities in the Invensys Wonderware HMI reports product.

ICS-CERT coordinated the vulnerabilities with independent security researchers Billy Rios and Terry McCorkle, who identified the holes, with Ocean Data Systems, a third party software provider, and Invensys, which has produced a new product version that resolves the issues. The researchers confirmed the new version resolves these vulnerabilities.

RELATED STORIES
No Dancing Around: Samba Shuts DoS Hole
Siemens Fixes for SIMATIC Holes
Siemens Default Password Issues
MICROSYS SCADA Vulnerabilities
Nightmare for Dream Report

“Working with Terry, Billy, Ocean Data and ICS-CERT, Invensys was able to validate and help issue an update for this risk,” said Ernie Rakaczky, principal security architect at Invensys. “It is another example of why coming together in a collaborative environment is important to identifying, correcting and mitigating risks, as well as making the mitigation quickly available to the user community. We thank Terry, Billy and everyone involved for their professionalism, support, trust and patience. It truly demonstrates what collaborative vulnerability mitigation is really all about.”

The following versions suffer from the problem: Wonderware HMI Reports 3.42.835.0304 and prior.

Successful attacks could result in data leakage, denial of service, or remote code execution.

Wonderware HMI Reports deploys across several industries including manufacturing, building automation, oil and gas, water and wastewater, healthcare, and electric utilities. These products are in action across the globe, according to Invensys.

The XSS vulnerability exists in the Invensys Wonderware HMI Reports application because of a lack of server-side validation of query string parameter values. Exploitation of this vulnerability requires that a user visit a specially crafted URL, which injects client-side scripts into the server’s HTTP response to the client.

CVE-2011-4038 is the number assigned to this vulnerability, which is the same as the Ocean Data number. Invensys’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 6.0.

A write access violation vulnerability also exists in the HMI Reports application. Exploitation of this vulnerability requires that a user opens a specially crafted file. This may result in arbitrary code execution.

CVE-2011-4039 is the number assigned to this vulnerability, which is the same as the Ocean Data number. Invensys’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 6.0.

The XSS vulnerability is remotely exploitable. The write access violation is not remotely exploitable and cannot suffer from an exploit without user interaction. The exploit only triggers when a local user runs the vulnerable application and loads a malformed file.

An attacker with a low skill level can create the XSS exploit. An attacker must use social engineering to convince the user to visit a malicious site.

Crafting a working exploit for the access violation vulnerability would be difficult. An attacker must use social engineering to convince the user to accept the malformed file. Additional user interaction must occur to load the malformed file. This decreases the likelihood of a successful exploit.

Invensys recommends users install the Security Update using specific instructions provided in each ReadMe file for each product and component installed. In general, users should download the update, the associated upgrade instructions, and the license file update. After installation, users must migrate the report definitions into the new Quick Reports 2012 format, as explained in the upgrade instructions. Users must also request a permanent license file from the distributor. Click here to gain access the update.



Leave a Reply

You must be logged in to post a comment.