There is a heap-based buffer overflow vulnerability affecting the InduSoft ISSymbol ActiveX control, according to InduSoft and the Zero Day Initiative (ZDI), according to a report on ICS-CERT.
Successful exploitation of this vulnerability could allow remote execution of arbitrary code. The report of the vulnerability came to ZDI by security researcher Alexander Gavrun.
The following products and versions have the issues:
• InduSoft ISSymbol ActiveX Control (Build 301.1009.2904.0),
• InduSoft Thin Client Version 7.0, and
• InduSoft Web Studio Version 7.0B2
Successful exploitation of the vulnerability could allow an attacker to perform arbitrary code execution, which could result in adverse application conditions and ultimately impact the production environment of a supervisory control and data acquisition (SCADA) system.
InduSoft Web Studio is a collection of automation tools to develop human-machine interfaces, SCADA systems, and embedded instrumentation systems. InduSoft products often integrate as third-party components in other vendors’ products.
Boundary errors on processing the “InternationalOrder” and “InternationalSeparator” properties can undergo exploitation by causing a heap-based buffer overflow via an overly long string assigned to the properties. CVE-2011-0340 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.
ICS-CERT recommended InduSoft Web Studio software users take the following mitigation steps:
• Apply hotfix 70.1.02.12. The InduSoft security patch and details are available at: http://www.indusoft.com/hotfixes/hotfixes.php.
• NOTE: Users will be required to email InduSoft support to acquire the hotfix.
The link on the InduSoft Web site will automatically draft an email to Support with a request.