Invensys created a patch to fix the uncontrolled search path element vulnerability, commonly referred to as a dll hijack, in its Wonderware InTouch application. If unpatched, the vulnerability could lead to arbitrary code execution.
Independent researcher Carlos Mario Penagos Hollmann, who discovered the vulnerability, validated that the upgrade resolves the hole, according to a report on ICS-CERT.
The following Invensys products contain the vulnerable dll:
• InTouch 2012 and all prior versions,
• Wonderware Application Server 2012 and prior versions,
• Wonderware Information Server 4.5 and prior versions,
• Foxboro Control Software 4.0 and all prior versions,
• InFusion CE/FE/SCADA 2.5 and all prior versions,
• InBatch 9.5 SP1 and all prior versions, and
• Wonderware Historian 10.0 SP1 and all prior versions.
“Invensys appreciates the professionalism of cyber researchers like Carlos Hollmann, who was instrumental in finding and responsibly disclosing this security vulnerability,” said Paul Forney, chief technologist, supervisory platform R&D, Invensys Operations Management. “Because of his coordinated response, and with his assistance, we were quickly able to validate our solution. Diligently addressing cyber security related issues remains a key focus for Invensys. We continue to collaborate responsibly with the community of independent researchers, ICS-CERT and other industry partners to strengthen our R&D processes, apply best practices and deliver highly secure products and solutions that protect the safety of our customers. We believe this organized, professional and collaborative approach will result in a much more secure critical infrastructure.”
The Invensys Wonderware InTouch HMI sees use in quite a few industries across the world, including manufacturing, energy, food and beverage, chemical, and water and wastewater.
The Information Server provides industrial information content including process graphics, trends, and reports. The Invensys Wonderware InTouch HMI Web Client provides access to these reports, analyses, and write back capabilities to processes.
InTouch uses an open or uncontrolled search path to find resources, which could allow an unauthorized user to easily locate and exploit one or more locations. An unauthorized user could place a malicious dll in a directory where it could load before the valid dll. An attacker must have access to the host file system to exploit this vulnerability. The exploit only triggers when a local user runs the vulnerable application and loads a malformed dll file.
CVE-2012-3005 is the number assigned to this vulnerability, which has a CVSS v2 Base Score of 6.6.
This vulnerability is not remotely exploitable; it needs user interaction. The exploit triggers when a local user runs the vulnerable application and loads a malformed dll file. An attacker with a moderate skill level would be able to exploit this vulnerability.
Invensys provided instructions and a link to the software download.
Install the Security Update using instructions provided in the ReadMe file. In general, the user should:
• Read the installation instructions provided with the patch,
• Shut down any of the affected software products,
• Install the update, and
• Restart the software.