There is an update that resolves the four confirmed vulnerabilities in the Pro-face Pro-Server EX application involving an invalid memory access, integer overflow, unhandled exception, and memory corruptions.
Each of these vulnerabilities is remotely exploitable, and public exploits target these vulnerabilities.
ICS-CERT coordinated these vulnerabilities with the development and manufacturing company of Pro-face branded products, Digital Electronics. Independent researcher Luigi Auriemma first discovered the holes.
Digital Electronics reported the vulnerabilities affect the following products: Data management software Pro-Server EX versions 1.00.00 through 1.30.00, and the HMI screen editor and logic programming software GP-Pro EX and related software WinGP Versions 2.00.00 through 3.01.100.
Exploitation of the vulnerabilities could result in a denial of service (DoS) or arbitrary code execution. An attacker with a moderate skill level would be able to exploit these vulnerabilities.
Pro-face is HMI-related hardware and software product found in a wide range of industries such as oil and gas, food and beverage, and water and wastewater industries. Pro-face products see use throughout the world, with the highest number sold in Japan and the Asia Pacific area. Pro-Server EX is a data management server that collects information generated by a PLC system through an HMI unit and generates reports, company officials said. In February 2001, Pro-face America, Inc., a subsidiary of Digital Electronics Corporation, purchased Xycom Automation.
A specially crafted packet can cause an integer overflow that leads to a buffer overflow in an arbitrary memory location. Out-of-bounds memory access may result in the corruption of memory or instructions that may lead to a crash. The execution of arbitrary code may be possible. Other attacks leading to lack of availability may also be possible. CVE-2012-3792 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.
In addition, it is possible to exploit an integer overflow to crash the server which could be a denial of service. CVE-2012-3793 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.
It is possible to terminate the server because of an unhandled exception. Exploitation of this vulnerability will cause a denial-of-service condition. CVE-2012-3794 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.
Additionally, an attacker may crash the server by copying a large amount of memory from the target system. CVE-2012-3795 and CVE-2012-3796 is the number assigned to these vulnerabilities, which has a CVSS v2 base score of 5.8.
An attacker is able to write more data to a memory location than allocated due to a lack of size checks, which would likely result in a system crash. CVE-2012-3797 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.
Digital Electronics released patch modules on its Web site. The patch module prevents the Pro-Server EX and WinGP from an attack using inaccurate packets.
Digital Electronics recommends the following in addition to applying the patch:
• Review all network configurations for control system devices.
• Remove unnecessary PCs from control system networks.
• Remove unnecessary applications from control system networks.