-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0029
          A number of vulnerabilities have been identified in 3S
             CODESYS Gateway-Server prior to version 2.3.9.27
                             25 February 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              3S CODESYS Gateway-Server
Operating System:     Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
                      Unauthorised Access             -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-4708 CVE-2012-4707 CVE-2012-4706
                      CVE-2012-4705 CVE-2012-4704 
Member content until: Wednesday, March 27 2013

OVERVIEW

        A number of vulnerabilities have been identified in 3S CODESYS 
        Gateway-Server prior to version 2.3.9.27. [1]


IMPACT

        ICS-CERT has provided the following details regarding these 
        vulnerabilities:
        
        "IMPROPER ACCESS OF INDEXABLE RESOURCE (RANGE ERROR)
        
        The 3S CODESYS Gateway-Server performs operations on a memory 
        buffer, but it can read from or write to a memory location that is 
        outside of the intended boundary of the buffer. This could allow the
        attacker to send a specially crafted packet over TCP/1211 to cause a
        crash, read from unintended memory locations, or execute arbitrary 
        code stored in a separate memory location.
        
        CVE-2012-4704 has been assigned to this vulnerability. A CVSS v2 
        base score of 9.4 has been assigned; the CVSS vector string is 
        (AV:N/AC:L/Au:N/C:C/I:N/A:C)." [1]
        
        "DIRECTORY OR PATH TRAVERSAL
        
        The 3S CODESYS Gateway-Server uses external input to construct a 
        pathname that is intended to identify a file or directory that is 
        located underneath a restricted parent directory. However, the 
        software does not properly neutralize special elements within the 
        pathname that can cause the pathname to resolve to a location 
        outside the restricted directory. An attacker can use a specially 
        crafted directory path to exploit this vulnerability.
        
        CVE-2012-4705 has been assigned to this vulnerability. A CVSS v2 
        base score of 10.0 has been assigned; the CVSS vector string is 
        (AV:N/AC:L/Au:N/C:C/I:C/A:C)." [1]
        
        "HEAP-BASED BUFFER OVERFLOW
        
        The 3S CODESYS Gateway-Server fails to check for a signed value that
        could lead to the buffer being overwritten with malicious code. This
        vulnerability is exploited by sending a specially crafted packet 
        over TCP/1211 affecting the availability of the system.
        
        CVE-2012-4706 has been assigned to this vulnerability. A CVSS v2 
        base score of 7.8 has been assigned; the CVSS vector string is 
        (AV:N/AC:L/Au:N/C:N/I:N/A:C)." [1]
        
        "IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY 
        BUFFER
        
        The 3S CODESYS Gateway-Server can read or write to a memory location
        that is outside the intended boundary of the buffer. As a result, an
        attacker may execute arbitrary code, alter the intended control 
        flow, read sensitive information, or cause a system crash. 
        CVE-2012-4707 has been assigned to this vulnerability.
        
        A CVSS v2 base score of 7.8 has been assigned; the CVSS vector 
        string is (AV:N/AC:L/Au:N/C:N/I:N/A:C)." [1]
        
        "STACK-BASED BUFFER OVERFLOW
        
        By sending a specially crafted packet to the 3S CODESYS 
        Gateway-Server over Port TCP/1211, an attacker can cause a 
        stack-based buffer overflow. This condition could allow an attacker
        to cause a system crash or denial of service.
        
        CVE-2012-4708 has been assigned to this vulnerability. A CVSS v2 
        base score of 10 has been assigned; the CVSS vector string is 
        (AV:N/AC:L/Au:N/C:C/I:C/A:C)." [1]


MITIGATION

        ICS-CERT recommends that administrators apply the security patch
        available from the download site for CODESYS at 
        http://www.codesys.com/download.html


REFERENCES

        [1] ICSA-13-050-01 - 3S CODESYS GATEWAY-SERVER MULTIPLE VULNERABILITIES
            http://ics-cert.us-cert.gov/pdf/ICSA-13-050-01.pdf

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUSsPAe4yVqjM2NGpAQKacg/8DhY0FRLFczstxKRhgeijBGeeb1HBJvpY
aF1dfQvEM6i9vDpLVm9+ol24Pv1wmJxQXYpyMRVNzOhycw9dTRYrpKYFYiJAZwj0
wOTrX3wT+1Sn5Duap8g0nkW10O5AtF6MZ4c+2yubyF81nvw0fsjo9lHosDrrtD+E
troHtfBMjPXz1KyCsHzUxhSfP2+qfuioZ5CzrzCa/0U3eXrx6UDbuQJZAgqXNlKa
IMrxmkeAChXhU9l++whuziTKUMG0sPxec5g6gw1QYmr7KW4kZ2DxX4O9001D/tOl
S6wZmPcypMuWxu2YuiWFSMv2v4XrKxa3rUTnAEUoCJy4isLHWFVP0CUzLmi+cQzw
uTcgbTWAAYEqGs5lnMbHoG94azBTEKGwQ/JpfZIaTuJDFfDN8G1Y6syFtcTwGhKi
gAuZ5vV0823OL6HCheaPeEy0K6p5f/DoBCBA9nAdYb+5pxtqvW6I/8IN+6uASRX7
+GjiRDku7MYLvh0Xc+eSIYROjKEepT8ShjRj7f59d2Gi/H5bfMAx4tD7oVRxGv5/
IumUQa2Q3jTdkjxdaiYXC/Q29i/+gwnCDe1qIiyx+Y13SoCbkM5ERrIObsPJM659
CuSbpLh0U58v8rXPQRGoBXoRj97IMFAylQk2gWn51prqNRUQh6aOg2Xs/UKbcMNr
9UXzyBx4ANE=
=pz7V
-----END PGP SIGNATURE-----