Wonderware Vulnerability Patched

Tuesday, July 26, 2011 @ 12:07 PM gHale

By Gregory Hale
A stack-based buffer overflow vulnerability exists in two different ActiveX controls used by the Wonderware Information Server product, according to Industrial Control System Cyber Emergency Response Team (ICS-CERT).

Successful exploitation of this vulnerability could allow remote code execution on a client running vulnerable versions of the software, according to the independent security researchers, Billy Rios and Terry McCorkle, that found the vulnerability.

More Possible Siemens Vulnerabilities
Web Sites to Find if You’re a Target
Siemens PLC Security Alert
WinCC Vulnerabilities Patched

There was a delay in releasing the information to allow users time to download and install an update.

ICS-CERT coordinated with the researchers and Invensys and the company issued a patch to address this vulnerability. The researchers have confirmed this patch fully resolves this reported vulnerability.

The following are the affected Wonderware Information Server client versions:
• Wonderware Information Server 3.1
• Wonderware Information Server 4.0
• Wonderware Information Server 4.0 SP1.

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on vulnerable clients at the same privilege level as the exploited process.

“We work closely with both ICS-CERT and cyber researchers to validate and demonstrate the quality of our security updates,” said Paul Forney, cyber security system architect for Invensys Operations Management.

“In general, we maintain a two-pronged approach to cyber security,” he said. “One is to implement the Software Development Lifecycle (SDL) for all new projects so that security is designed in from the start. The second is to continually evaluate and model our legacy software for threats, concentrating on and strengthening the most critical components using the tools provided by the SDL. In this way, we believe we have demonstrated that Invensys responds to vulnerabilities and issues security updates faster than the industry standard.”

Wonderware’s Information Server sees use in several industries including oil and gas, chemical, power, pharmaceutical, and water and wastewater treatment.

The Wonderware Information Server contains a stack-based buffer overflow vulnerability. An attacker would need to create a specially crafted webpage or file for the client to open. Successfully exploiting the vulnerability could allow remote code execution in an affected client.

According to Invensys, the overall Common Vulnerability Scoring System (CVSS) severity score for this vulnerability is 6.0 (high) but may require social engineering to exploit.

This vulnerability is remotely exploitable. User interaction is likely required to exploit this vulnerability as users must open a malicious file or website on a client with the vulnerable ActiveX control installed in order to allow the execution of code to occur.

To date, there are no exploits specifically targeting this vulnerability, according to ICS-CERT.

For an attacker to exploit this vulnerability, he would need a moderate set of skills. In addition, user interaction must occur to successfully execute the exploit.

Invensys created a patch that fully resolves this vulnerability. Customers of Invensys running vulnerable versions of Information Server can update their systems to the most recent patch release by following the steps provided by Invensys. In addition to applying this patch, Invensys has made additional recommendations to customers running vulnerable versions of the Information Server product:

• Log onto Cyber Security Updates site where Invensys provides information and useful links related to their security updates. https://wdn.wonderware.com/sites/WDN/Pages/Security Central/default.aspx
• Set the security level settings in the Internet browser to Medium−High to minimize the risk of an exploit of the vulnerability.
• For information regarding how to secure industrial control systems operating in a Microsoft Windows environment, please reference the Invensys Securing Industrial Control Systems Guide

Leave a Reply

You must be logged in to post a comment.