Invensys created a patch that resolves the Unicode string vulnerability in the Wonderware SuiteLink service (slssvc.exe).
Last May, independent researcher Luigi Auriemma identified a maliciously crafted Unicode string vulnerability causing a stack-based buffer overflow with proof-of-concept (PoC) exploit code.
ICS-CERT coordinated this vulnerability with Invensys, which confirmed the vulnerability exists for Wonderware products built prior to 2011. Auriemma confirmed the patch is valid.
Wonderware said slssvc service less than or equal to Version 54.x.x.x is vulnerable, but slssvc service equal to or greater than Version 58.x.x.x is not vulnerable. InTouch 2012 and Wonderware Application Server 2012 are not vulnerable to crash but will show excessive resource consumption if exploited.
The vulnerability allows an attacker to cause a buffer overflow that can ultimately lead to a denial-of-service (DoS) and crash of the system in some versions. The flaw allows an attacker to remotely stall or crash the slssvc service by sending a long and unallocated Unicode string to the buffer. This exploit could affect critical infrastructure and key resources where Wonderware SuiteLink is in play.
SuiteLink is a common component used for communication between Wonderware products. It also can be a communication between Wonderware products and some third-party products developed with Wonderware’s Extensibility Tool Kits. The Invensys Wonderware SuiteLink Service connects Wonderware software with third-party products and OPC-compliant devices and applications. Generally, when a user installs a Wonderware product, SuiteLink likely goes in as a common component.
The Invensys Wonderware SuiteLink component is in many industries worldwide, including manufacturing, energy, food and beverage, chemical, and water and wastewater.
In one of the vulnerabilities, attackers can send an oversized unallocated string into the SuiteLink buffer that causes the allocated stack buffer to be overwritten. This attack causes a crash of slssvc.exe and a DoS. CVE-2012-3007 is the number assigned to this vulnerability, which has a CVSS V2 base score of 7.1.
Invensys recommended the following mitigations:
• Apply security update patch to affected nodes.
• Upgrade to InTouch/Wonderware Application Server (IT 10.5, WAS 3.5) or later.
• Upgrade to DASABCIP 4.1 SP2 or DASSiDirect 3.0.
• Install DAServer Runtime Components Upgrade 3.0 SP2, 3.0 SP3 or higher for any DAServer, DI Object, or third-party DAServer installation.
The Invensys security update patch is at the Wonderware download Web site.