-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2011.1138.2
        ICSA-11-279-02--CitectSCADA and Mitsubishi MX4 SCADA Batch
                          Server buffer overflow
                             19 September 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           CitectSCADA V7.10 and prior using the CitectSCADA Batch Server module
                   Mitsubishi MX4 SCADA V7.10 and prior using the MX4 SCADA Batch module
Publisher:         US-CERT
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Mitigation
CVE Names:         CVE-2011-5163  

Original Bulletin: 
   http://www.us-cert.gov/control_systems/pdf/ICSA-11-279-02.pdf

Comment: While ICS-CERT has explicitly stated that the "...vulnerability is not
         remotely exploitable...", it has also been stated that the 
         "...vulnerability results from an overly long user input string sent 
         to the server during the normal logon sequence..." which would
         indicate that this vulnerability may be exploitable without user
         authentication.

Revision History:  September 19 2012: Added CVE reference
                   November  10 2011: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS-CERT ADVISORY
ICSA-11-279-02--CITECTSCADA AND MITSUBISHI MX4 SCADA BATCH SERVER BUFFER 
OVERFLOW

November 08, 2011

OVERVIEW

ICS-CERT originally released Advisory ICSA-11-279-02P on the US-CERT secure 
Portal on October 06, 2011. This web page release was delayed to allow users 
time to download and install the update.

Researcher Kuang-Chun Hung of Taiwans Information and Communication Security 
Technology Center (ICST) has reported a buffer overflow affecting Mitsubishi 
MX4 Supervisory Control and Data Acquisition (SCADA). Upon further 
investigation, MX4 SCADA was found to be a version of CitectSCADA, a product 
offered by Schneider Electric. This Advisory includes a full list of known 
affected products.

A buffer overflow vulnerability resides in a third-party component used by the 
CitectSCADA and MX4 SCADA Batch products. Successful exploitation of this 
vulnerability could allow an attacker to execute arbitrary code.

ICS-CERT has coordinated the researchers vulnerability report with Schneider 
Electric. Schneider Electric has issued a patch to address the reported 
vulnerability. The researcher has confirmed the patch is effective in 
addressing the vulnerability. Schneider Electric has provided the patch to 
Mitsubishi for distribution to MX4 SCADA customers.

AFFECTED PRODUCTS

The following products and versions are affected:
 CitectSCADA V7.10 and prior using the CitectSCADA Batch Server module.
 Mitsubishi MX4 SCADA V7.10 and prior using the MX4 SCADA Batch module.

IMPACT

Successful exploitation of this vulnerability could allow an attacker to 
execute arbitrary code on a system running an affected version of these 
products.

Impact to individual organizations depends on many factors that are unique to
each organization. ICS-CERT recommends that organizations evaluate the impact 
of this vulnerability based on their environment, architecture, and product 
implementation.

BACKGROUND

CitectSCADA is a human-machine interface (HMI) product that is offered by 
Schneider Electric. MX4 SCADA is a product offered by Mitsubishi.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

A buffer overflow vulnerability exists in a third-party component used by the 
CitectSCADA and MX4 SCADA Batch products. This vulnerability results from an 
overly long user input string sent to the server during the normal logon 
sequence. This overly long input string can allow successful exploitation of 
this vulnerability and can allow execution of arbitrary code.

VULNERABILITY DETAILS

EXPLOITABILITY

This vulnerability is not remotely exploitable.

EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.

DIFFICULTY

An attacker with a low skill level could exploit this vulnerability.

MITIGATION

CITECTSCADA BATCH SERVER

Schneider Electric has released a notification about this vulnerability on 
its website, available here:
http://www.citect.com/citectscada-batch.

Schneider Electric has made mitigation recommendations to customers using 
affected products based on their implementation and use of the Batch product.

Customers who are actively using the CitectSCADA Batch product

Schneider Electric advises these customers to contact Schneider for details on 
how to migrate to the new Batch platform. The BatchUninstaller is available 
here: http://www.citect.com/citectscada-batchuninstaller.

Customers who run V5.50, V6.00, V6.10, V7.00, or V7.10 of CitectSCADA, but DO 
NOT use the Batch product

Schneider Electric recommends these customers run the CitectSCADA Batch 
Uninstaller to uninstall the Batch component, therefore eliminating the risk. 
The CitectSCADA Batch Uninstaller is available here: 
http://www.citect.com/citectscada-batch.

MITSUBISHI MX4 SCADA BATCH SERVER

Mitsubishi Electric Europe B.V. is contacting customers who have purchased an 
MX4 BATCH license and will work both with the customer and Schneider Electric
to ensure they are not at risk from this vulnerability.

Mitsubishi Electric Europe B.V. has released a notification about this 
vulnerability on its website, available here: Mitsubishi Customer Notification
Mitsubishi recommends that customers who may have installed the MX4SCADA but 
are not using the MX4Batch engine (CitectSCADA Batch engine) to remove this 
module by using the uninstaller provided on its website:

http://www.mitsubishi-automation.com/ > Download > Product Safety Notice
Alternatively; the uninstaller can be obtained from Schneider Electrics 
website.

http://www.citect.com/citectscada-batch-uninstaller

Customers using MX4 Batch should contact their local Mitsubishi Electric 
Europe B.V. representative to discuss upgrading to a new version of the Batch 
platform or alternatively moving to a non-PC-based batch system such as 
Mitsubishi Electric Europe B.V.s C Batch.

Mitsubishi Electric can be contacted at fa-psn@mitsubishi-automation.com for 
further assistance.

ADDITIONAL DEFENSIVE MEASURES

In addition to the mitigation options offered by Schneider Electric and 
Mitsubishi, ICS-CERT encourages asset owners to take additional defensive 
measures to protect against cybersecurity risks:

 * ICS-CERT encourages asset owners to minimize network exposure for all
   control system devices. Critical devices should not directly face the 
   Internet.

 * Locate control system networks and remote devices behind firewalls, and 
   isolate them from the business network.

 * When remote access is required, use secure methods, such as Virtual Private 
   Networks (VPNs), recognizing that VPN is only as secure as the connected 
   devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk 
assessment prior to taking defensive measures.

The Control Systems Security Program (CSSP) also provides a recommended 
practices section for control systems on the CSSP web page. Several recommended 
practices are available for reading or download, including Improving Industrial 
Control Systems Cybersecurity with Defense-in-Depth Strategies. a

Organizations observing any suspected malicious activity should follow their 
established internal procedures and report their findings to ICS-CERT for 
tracking and correlation against other incidents.

In addition, ICS-CERT recommends that users take the following measures to 
protect themselves from social engineering attacks:

1. Do not click web links or open unsolicited attachments in e-mail messages
2. Refer to Recognizing and Avoiding Email Scams information on avoiding 
   e-mail scams. b
3. Refer to Avoiding Social Engineering and Phishing Attacks for more 
information on social engineering attacks. c

ICS-CERT CONTACT

For any questions related to this report, please contact ICS-CERT at:
E-mail: ics-cert@dhs.gov Toll Free: 1-877-776-7585 For CSSP Information and 
Incident Reporting: www.ics-cert.org

DOCUMENT FAQ
What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide 
awareness or solicit feedback from critical infrastructure owners and 
operators concerning ongoing cyber events or activity with the potential to 
impact critical infrastructure computing networks.

When is vulnerability attribution provided to researchers? Attribution for 
vulnerability discovery is provided when prior coordination has occurred with 
either the vendor, ICS-CERT, or other coordinating entity. ICS-CERT encourages 
researchers to coordinate vulnerability details before public release. The 
public release of vulnerability details prior to the development of proper 
mitigations may put industrial control systems and the public at avoidable 
risk.

a. CSSP Recommended Practices, 
http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html
website last accessed November 07, 2011.

b. Recognizing and Avoiding Email Scams, 
http://www.us-cert.gov/reading_room/emailscams_0905.pdf, website last accessed 
November 07, 2011.

c. National Cyber Alert System Cyber Security Tip ST04-014, 
http://www.us-cert.gov/cas/tips/ST04-014.html, website last accessed 
November 07, 2011.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUFldVe4yVqjM2NGpAQKdKhAAo5ILhbZGpumlG2S61sctidDP5/Mjll+B
En/KSiB3nLnI2Vf0MA0dehnpgWfEFgg+GNuTsuTlnL11RGHK8ofarT6rj48cj24o
Ycxbwo1ykCrmovhNmz1EBL99TfygkmyuhIiwGPYHm2nIYwgEnnny67JM5ZUnmSU8
tV8W8GHtosq8DdvqJhBBppv/9to510WICz5X6hU9tOiW/LCGFIxTpUdYrH5mwL9l
UIWgEYSypYqZvrt8ZcRVU9xlL6lTyxSAr4/8dqJ6nLca15kDRBIKwawn1PsTicJS
s8BT5VJAX3f/UuMilqgIavhWBLG164acl52FANZC6diwQ3TpiWqCYqLjkJjvn/a1
XObNb9kpeXxJ5R2gD0lQDvU7wdQYDlpBD/kKbkgkXACENQGrDet/QHt7H4SkI72R
IwtYJjj7471pQaYVztAKQDfCWgCfI0seoAxz0HHzHkzzbs1jDMvUcI7LmykbHomt
Kc+zcAnzkhCb1wSv6SErNylCLgbpuvXH5SG0RTqzzsPFCPq2krmg01UE0Mym2LRC
+3iZbOu5861FnJ4WoGpzGlRdcWLdW7NAQeF5lyAbKA10QfVTy/YEAvbMxvqmhfHk
vBxxmt00Kdhu1PRCWpWAfCvDoCWmgj5q6LYq74KXd1RR7ZfZw2sQ66s3lhzQOPn2
ZELYBzO56tU=
=D+f+
-----END PGP SIGNATURE-----