Invensys created an update that mitigates multiple vulnerabilities that impact the Invensys Wonderware Information Server (WIS) software, according to a report on ICS-CERT.
Researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team, who found the vulnerabilities, tested the update and validated that it fixes the remotely exploitable issues.
Exploitation of these vulnerabilities could impact systems deployed in the critical manufacturing, energy, food and beverage, chemical, and water and wastewater sectors.
The following Invensys WIS versions suffer from the issue: WIS 4.0 SP1SP1 and 4.5– Portal, and WIS 5.0– Portal.
Successful exploitation of these vulnerabilities could allow an attacker to execute remote code, disclose information, or perform session credential high jacking of WIS.
Invensys works with industrial, commercial, rail operators, and appliance operators in over 180 countries. Invensys develops software, systems, and equipment that enable users to monitor, automate, and control their processes.
The Invensys WIS software sees use in the critical manufacturing, energy, food and beverage, chemical, and water and wastewater industries.
WIS provides industrial information content including process graphics, trends, and reports on a single Web page. WIS Web clients allow access to real-time dashboards, predesigned reports of industrial activities, and provide analysis or write back capabilities to the process.
One of the vulnerabilities enables an attacker to inject client-side script into Web pages viewed by other users or bypass client-side security mechanisms imposed by modern Web browsers. This vulnerability, if exploited, could allow arbitrary code execution and may require social engineering to exploit.
CVE-2013-0688 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
Another vulnerability could allow an attacker to perform database operations unintended by the Web application designer and, in some instances, can lead to total compromise of the database server. This vulnerability, if exploited, could allow arbitrary code execution.
CVE-2013-0684 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
WIS allows access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause WIS to send the contents of local or remote resources to the attacker’s server or cause a denial of service (DoS) of the system.
CVE-2013-0686 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.
WIS does not properly restrict the size or amount of resources requested, allowing the attacker to consume more resources than intended. This vulnerability, if exploited, could allow remote code execution and DoS.
CVE-2013-0685 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
To date, there are no public exploits specifically target these vulnerabilities and an attacker with a medium skill would be able to exploit these vulnerabilities.
Invensys has developed an update to the WIS software that mitigates these vulnerabilities. Click here to download and install the update from the Invensys download page.
Invensys said users running any machine with one or more of the products listed should undergo a patch. No other components of the WIS installed products have an issue. Users should install the update using instructions provided in the ReadMe file for the product and component they are installing. Invensys recommended users should set the Security level settings in the Internet browser to “Medium – High” to minimize the risks presented by these vulnerabilities.