Invensys’ Wonderware has fixes to mitigate a series of vulnerabilities discovered by three security researchers, according to ICS-CERT reports.
In one case, a patch is available to cover multiple vulnerabilities in Wonderware’s Information Server. In another, a patch is available to fix two buffer overflow vulnerabilities in the WWCabFile component of Wonderware System Platform, used by multiple applications that run on the platform.
In the Information Server issue, Invensys developed a security update to address the affected products and independent researchers, Billy Rios and Terry McCorkle, who found the vulnerabilities, helped Invensys resolve the issues.
“We can’t stress enough the coordination provided by the ICS-CERT organization and the benefit they provide to the industrial control system community,” Paul Forney, chief technologist, supervisory platform R&D, Invensys Operations Management, said Wednesday. “Additionally, as two of the very best researchers in the field, Terry McCorkle and Billy Rios have been awesome to work with. Together they helped Invensys work through these vulnerabilities so we could release a validated, solid security update for our Wonderware Information Server solution. We also appreciate the responsible disclosure of the SignalSec Corporation, allowing our development teams to provide and test a solid fix to the WWCabFile vulnerabilities and then distribute the update to our customers. All this reinforces the notion that effective cyber security programs truly rely on collaboration between people, process and technology.”
The following Invensys Wonderware Information Server versions suffer from the issue: 4.0 SP1 and 4.5 Portal, and 4.0 SP1 and 4.5 Client.
In addition, only Wonderware Historian Client versions installed on the same node as the Wonderware Information Server Portal or Client are subject to the vulnerabilities.
If exploited these vulnerabilities could allow denial of service, information disclosure, remote code execution, or session credential high jacking.
The Invensys Wonderware Information Server sees use in multiple industries worldwide, including manufacturing, energy, food and beverage, chemical, and water and wastewater. Information Server provides industrial information content including process graphics, trends, and reports. Wonderware Information Server Web Clients provides access to reports, analysis, or write back capabilities to processes.
This vulnerability enables an attacker to inject client side script into web pages viewed by other users or bypass client side security mechanisms imposed by web browsers. This vulnerability could allow arbitrary code execution and may require social engineering to exploit. CVE-2012-0225 is the number assigned to this vulnerability. The Invensys assessment of the compound vulnerabilities using the CVSS Version 2.0 calculator rates an Overall CVSS Score of 8.1.
An attacker can use this vulnerability to perform database operations unintended by the web application designer and, in some instances, can lead to total compromise of the database server. This vulnerability could allow arbitrary code execution.
CVE-2012-0226 is the number assigned to this vulnerability and the Invensys assessment of the compound vulnerabilities using the CVSS Version 2.0 calculator rates an Overall CVSS Score of 8.1.
PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS
The security access permissions issues with client controls can lead to denial of service.
CVE-2012-0228 is the number assigned to this vulnerability. The Invensys assessment of the compound vulnerabilities using the CVSS Version 2.0 calculator rates an Overall CVSS Score of 8.1.
These vulnerabilities are remotely exploitable, however, no known exploits specifically target these vulnerabilities.
An attacker with a low skill level can create the denial of service, whereas it would require a more skilled attacker to execute arbitrary code. This attack may require social engineering to exploit.
Invensys has developed software updates to address the vulnerabilities. Customers of Invensys running vulnerable versions of Invensys Wonderware Information Server and Invensys Wonderware Historian Client can update their systems to the most recent software updates released by following the steps provided by Invensys.
Users can download Invensys software updates from the Wonderware Development Network (“Software Download” area) and the Infusion Technical Support website.
Invensys provided the following steps for update information.
Install the Security Update using instructions provided in the ReadMe file for the product and component installed. In general, the user should proceed as indicated below:
1. Wonderware Information Server – Portal component: Run the “Hotfix Install Utility.”
2. Wonderware Information Server – Client component: Uninstall the client from Add/Remove Programs (ClientSetup.msi), clear the IE cache (see specific instructions in the Readme file provided with the Security Update) and access the Wonderware Information Server site.
3. If Step 2 and Step 3 are on the same node, perform the functions in Step 2 and also run the “Hotfix Install Utility.”
In addition to applying the software updates, Invensys made additional recommendations to customers running vulnerable versions of the Invensys Wonderware Information Server and Invensys Wonderware Historian Client products.
Those using versions of the products prior to Invensys Wonderware Information Server 5.0 and Invensys Wonderware Historian Client 10 SP3 should apply the security update to all installed nodes of the Portal and Client components. (All browser clients of the portal suffer from the vulnerabilities and you should patch them). Customers using the affected versions of Invensys Wonderware Information Server should set the security level settings in the Internet browser to “Medium – High” to minimize the risks presented by these vulnerabilities.
In another case, independent researcher Celil Unuver from SignalSec found two buffer overflow vulnerabilities in the WWCabFile component of the Wonderware System Platform, used by multiple applications that run on the platform. Invensys has a patch that resolves these vulnerabilities. Unuver tested the patch and verified it resolves the vulnerabilities.
The following Invensys products and versions suffer from the issue:
• Wonderware Application Server 2012 and all prior versions
• Foxboro Control Software Version 3.1 and all prior versions
• InFusion CE/FE/SCADA 2.5 and all prior versions
• Wonderware Information Server 4.5 and all prior versions
• ArchestrA Application Object Toolkit 3.2 and all prior versions
• InTouch 10.0 to 10.5 only (earlier versions of InTouch are not affected).
The Wonderware Historian is part of the System Platform but does not suffer from this issue.
Successfully exploiting these vulnerabilities will cause a buffer overflow that may allow remote code execution.
Wonderware System Platform, along with the Foxboro Control Software, designs, builds, deploys, and maintains standardized applications for manufacturing and infrastructure operations. The Wonderware Information Server is a component of the System Platform aggregates and presents plant production and performance data.
HEAP-BASED BUFFER OVERFLOW
A heap-based overflow can overwrite function pointers that exist in memory with pointers to the attacker’s code. Applications that do not explicitly use function pointers are still vulnerable, as unrelated run-time programs can leave operational function pointers in memory.
The heap-based buffer overflow in WWCabFile ActiveX Component can suffer exploitation by sending a long string of data to the “Open” member of the WWCabFile component.
CVE-2012-0257 is the number assigned to this vulnerability. Invensys said the vulnerability has a CVSS V2 base score of 6.0.
An attacker can exploit the heap-based buffer overflow by sending a long data string to the “AddFile” member of the WWCabFile component.
CVE Identifier CVE-2012-0258 is the number assigned to this vulnerability. Invensys said there is a CVSS V2 base score of 6.0.
Invensys has rated these vulnerabilities as a medium concern based on exploit difficulty and the potential that an attacker may need to employ social engineering.
Invensys encourages users affected by these vulnerabilities to follow the instructions in their security bulletin.
Installation of the Security Update does not require a reboot. If multiple products are on the same node, the customer need only install the Security Update once.
To install the update, Invensys recommends users to follow the instructions found in the ReadMe file for the product and component installed.
In general, Invensys recommends users:
• Back up the Galaxy Database
• Back up the Wonderware Information Server Database
• Run the Security Update Utility.