InduSoft Web Studio Vulnerability

Monday, April 28, 2014 @ 10:04 AM gHale

There is a directory traversal vulnerability affecting the InduSoft Web Studio application, according to a report on ICS-CERT.

Successful exploitation of this remotely exploitable vulnerability could allow remote execution of arbitrary code. This vulnerability ended up reported by the Zero Day Initiative (ZDI) who received the initial dispatch from security researcher John Leitch.

Festo Not Fixing Controller Holes
Siemens Fixes SIMATIC Family Holes
Certec Fixes Heartbleed Vulnerability
Siemens Fixes SINEMA Vulnerabilities

Web Studio Version 7.1 suffers from the issue.

Successful exploitation of the reported vulnerability could allow an attacker to read files outside the web root and possibly perform arbitrary code execution. These actions can result in adverse application conditions and ultimately impact the production environment on which the supervisory control and data acquisition (SCADA) system works.

InduSoft Web Studio is a collection of automation tools to develop human-machine interfaces, SCADA systems, and embedded instrumentation systems.

InduSoft Web Studio often ends up integrated as a third-party component in other vendors’ products. According to Austin, TX-based InduSoft, Web Studio sees uses across several sectors including commercial facilities, critical manufacturing, energy, food and agriculture, healthcare and public health, and water and wastewater systems.

The NTWebServer (test web server installed with InduSoft Web Studio) contains a flaw that enables a malicious user to read files outside the web root. This can end up exploited to read APP files that may contain application passwords. It may be possible to achieve remote code execution by exfiltrating credentials for Web Studio itself, then using them to remotely administer the targeted instance to deploy attacker controlled server-side code.

CVE-2014-0780 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.

InduSoft did not intend for this web server to see action in real applications. It was a demonstration/training software (as stated in user manuals). They have created a mitigation for this vulnerability in InduSoft Web Studio v7.1+Service Pack 2+ Patch 4. Users may obtain this patch at the following location (you must log into your InduSoft account).

For more information, you can email InduSoft technical support.

Leave a Reply

You must be logged in to post a comment.