Wonderware Fixes InTouch Vulnerability

Thursday, October 10, 2013 @ 04:10 PM gHale

Invensys created an update that mitigates the improper input validation vulnerability in the Wonderware InTouch human-machine interface (HMI), according to a report on ICS-CERT.

Independent researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team discovered the vulnerability in the Wonderware InTouch application. The Positive Technologies Research Team tested the update to validate that it resolves the vulnerability.

Alstom Patches Software Vulnerability
Additional Patches for Rockwell
Philips Fixes Buffer Overflow
Bug in Siemens SCALANCE X-200

The following Invensys Wonderware products suffer from the version: InTouch HMI 2012 R2 and all previous versions.

Successful exploitation of this vulnerability could allow an attacker to affect the confidentiality and availability of the Invensys Wonderware InTouch.

Invensys is a global technology company that works with industrial, commercial, rail operators, and appliance operators, while operating in over 180 countries. Invensys develops software, systems, and equipment that enable users to monitor, automate, and control their processes.

The Invensys Wonderware InTouch HMI works across several sectors including critical manufacturing, energy, food and agriculture, chemical, and water and wastewater.

Wonderware InTouch HMI allows access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause Wonderware InTouch HMI to send the contents of local or remote resources to the attacker’s server or cause a denial of service of the system.

CVE-2012-4709is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.

This vulnerability is not remotely exploitable and needs user interaction for any kind of exploit. The exploit triggers when a local user runs the vulnerable application and loads the malformed XML files.

No known public exploits specifically target this vulnerability and an attacker with a low skill would be able to exploit this vulnerability.

Instructions and a link to the application update are on the Invensys download page.

Any machine running InTouch 2012 R2 or earlier versions suffers from the issue, according to Invensys. Users should install the update using instructions provided in the ReadMe file for the product and component installed. Invensys recommends users:
1. Read the installation instructions provided with the patch.
2. Shut down any of the affected software products.
3. Install the update.
4. Restart the software.

Leave a Reply

You must be logged in to post a comment.