Operating System:

[Win]

Published:

03 April 2012

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0337
                Ivensys Wonderware Multiple Vulnerabilities
                               3 April 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Invensys Wonderware Information Server
                   Invensys Wonderware System Platform
Publisher:         US-CERT
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-0258 CVE-2012-0257 CVE-2012-0228
                   CVE-2012-0226 CVE-2012-0225 

Original Bulletin: 
   http://www.us-cert.gov/control_systems/pdf/ICSA-12-062-01.pdf
   http://www.us-cert.gov/control_systems/pdf/ICSA-12-081-01.pdf

Comment: This bulletin contains two (2) US-CERT security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS-CERT ADVISORY

ICSA-12-062-01 INVENSYS WONDERWARE INFORMATION SERVER MULTIPLE 
VULNERABILITIES

April 02, 2012

OVERVIEW

ICS-CERT originally released Advisory ICSA-12-062-01P - Invensys Wonderware
Information Server Multiple Vulnerabilities on the US-CERT secure portal on
March 02, 2012. This web page release was delayed to allow users time to
download and install the update.

Independent security researchers Terry McCorkle and Billy Rios have identified
multiple vulnerabilities in the Invensys Wonderware Information Server.
Invensys has developed a security update to address these affected products.

Invensys has expressed appreciation to Billy Rios and Terry McCorkle as
independent security researchers for the discovery and collaboration with
Invensys on resolving these vulnerabilities.

AFFECTED PRODUCTS

The following Invensys Wonderware Information Server versions are affected:
 4.0 SP1 and 4.5 - Portal
 4.0 SP1 and 4.5 - Client.

The following Invensys Wonderware Historian Client version is affected:

Only Wonderware Historian Client versions installed on the same node as the
Wonderware Information Server Portal or Client are subject to the
vulnerabilities reported in this Advisory.

IMPACT

These vulnerabilities, if exploited, could allow denial of service, information
disclosure, remote code execution, or session credential high jacking. Impact
to individual organizations depends on many factors that are unique to each
organization. ICS-CERT recommends that organizations evaluate the impact of 
these vulnerabilities based on their operational environment, architecture, and
product implementation.

BACKGROUND

The Invensys [a] Wonderware Information Server is used in many industries
worldwide, including manufacturing, energy, food and beverage, chemical, and
water and wastewater.

The Information Server provides industrial information content including
process graphics, trends, and reports. The Invensys Wonderware Information
Server Web Clients provides access to reports, analysis, or write back
capabilities to processes.

VULNERABILITY OVERVIEW

CROSS-SITE SCRIPTING [b]

This vulnerability enables an attacker to inject client side script into web
pages viewed by other users or bypass client side security mechanisms imposed
by modern web browsers. This vulnerability, if exploited, could allow arbitrary
code execution and may require social engineering to exploit.

CVE-2012-0225 [c] has been assigned to this vulnerability. The Invensys
assessment of the compound vulnerabilities using the CVSS [d] Version 2.0
calculator rates an Overall CVSS Score of 8.1. [e]

SQL INJECTION [f]

This vulnerability can be used by an attacker to perform database operations
that were unintended by the web application designer and, in some instances,
can lead to total compromise of the database server. This vulnerability, if
exploited, could allow arbitrary code execution.

CVE-2012-0226 [g] has been assigned to this vulnerability. The Invensys
assessment of the compound vulnerabilities using the CVSS [h] Version 2.0
calculator rates an Overall CVSS Score of 8.1. [e]

PERMISSIONS, PRIVLEGES, AND ACCESS CONTROLS [i]

The security access permissions issues with client controls can lead to denial
of service.

CVE-2012-0228 [j] has been assigned to this vulnerability. The Invensys
assessment of the compound vulnerabilities using the CVSS [k] Version 2.0
calculator rates an Overall CVSS Score of 8.1. [e]

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities are remotely exploitable.

EXISTENCE OF EXPLOIT

No known exploits specifically target these vulnerabilities.

DIFFICULTY

An attacker with a low skill level can create the denial of service, whereas it
would require a more skilled attacker to execute arbitrary code. This attack
may require social engineering to exploit.

MITIGATION

Invensys has developed software updates to address the reported
vulnerabilities. Customers of Invensys running vulnerable versions of Invensys
Wonderware Information Server and Invensys Wonderware Historian Client can
update their systems to the most recent software updates released by following
the steps provided by Invensys.

Invensys software updates can be downloaded from the Wonderware Development
Network (Software Download area) and the Infusion Technical Support website: 
https://wdn.wonderware.com/sites/WDN/Pages/Downloads/Software.aspx.

The following steps are provided by Invensys for update information.
Install the Security Update using instructions provided in the ReadMe file for
the product and component being installed. In general, the user should proceed
as indicated below:

	1. Wonderware Information Server  Portal component: Run the Hotfix
	Install Utility.
	
	2. Wonderware Information Server  Client component: Uninstall the
	client from Add/Remove Programs (ClientSetup.msi), clear the IE cache
	(see specific instructions in the Readme file provided with the
	Security Update) and access the Wonderware Information Server site.
	
	3. If Step 2 and Step 3 are on the same node, perform the functions in
	Step 2 and also run the Hotfix Install Utility.

In addition to applying the software updates, Invensys has made additional
recommendations to customers running vulnerable versions of the Invensys
Wonderware Information Server and Invensys Wonderware Historian Client
products. Customers using versions of the products prior to Invensys Wonderware
Information Server 5.0 and Invensys Wonderware Historian Client 10 SP3 should
apply the security update to all nodes where the Portal and Client components
are installed. (All browser clients of the portal are affected and should be
patched). Customers using the affected versions of Invensys Wonderware
Information Server should set the security level settings in the Internet
browser to Medium-High to minimize the risks presented by these
vulnerabilities.

ICS-CERT encourages asset owners to take additional defensive measures to
protect against this and other cybersecurity risks.
	* Minimize network exposure for all control system devices. Critical
	devices should not directly face the Internet.

	* Locate control system networks and remote devices behind firewalls,
	and isolate them from the business network.

	* When remote access is required, use secure methods, such as Virtual
	Private Networks (VPNs), recognizing that VPN is only as secure as the
	connected devices.

The Control Systems Security Program (CSSP) also provides a section for control
systems security recommended practices on the CSSP web page. Several
recommended practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Stragies [l]. ICS-CERT reminds organizations to perform proper impact analysis
and risk assessment prior to taking defensive measures.

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to ICS-CERT for
tracking and correlation against other incidents. 

In addition, ICS-CERT recommends that users take the following measures to
protect themselves from social engineering attacks: 
	
	1. Do not click web links or open unsolicited attachments in e-mail
	messages 
	
	2. Refer to Recognizing and Avoiding Email Scams [m] for more
	information on avoiding e-mail scams.

	3. Refer to Avoiding Social Engineering and Phishing Attacks [n] for
	more information on social engineering attacks.

ICS-CERT CONTACT

For any questions related to this report, please contact ICS-CERT at:

E-mail: ics-cert@dhs.gov
Toll Free: 1-877-776-7585
For CSSP Information and Incident Reporting: www.ics-cert.org

DOCUMENT FAQ

What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide
awareness or solicit feedback from critical infrastructure owners and
operators concerning ongoing cyber events or activity with the potential to
impact critical infrastructure computing networks.

When is vulnerability attribution provided to researchers? Attribution for
vulnerability discovery is always provided to the vulnerability reporter unless
the reporter notifies ICS-CERT that they wish to remain anonymous. ICS-CERT
encourages researchers to coordinate vulnerability details before public
release. The public release of vulnerability details prior to the development
of proper mitigations may put industrial control systems and the public at
avoidable risk.

REFERENCES

a. http://www.invensys.com/, website last accessed March 29, 2012.
b. http://cwe.mitre.org/data/definitions/79.html, website last accessed
March 29, 2012.
c. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0225, NIST uses
this advisory to create the CVE website report. 
This website will be active sometime after publication of this advisory.
d. http://nvd.nist.gov/cvss.cfm, website last accessed March 29, 2012.
e. National Vulnerability Database Calculator for LFSEC00000069 ,website last
accessed March 29, 2012.
f. http://cwe.mitre.org/data/definitions/89.html, website last accessed
March29, 2012.
g. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0226, NIST uses
this advisory to create the CVE website report. This website will be active
sometime after publication of this advisory.
h. http://nvd.nist.gov/cvss.cfm, website last accessed March 29, 2012.
i. http://cwe.mitre.org/data/definitions/264.html, website last accessed
March 29, 2012
j. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0228, NIST uses
this advisory to create the CVE website report. This website will be active
sometime after publication of this advisory.
k. http://nvd.nist.gov/cvss.cfm, website last accessed March 29, 2012.
l. CSSP Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html,
website last accessed March 29, 2012.
m. Recognizing and Avoiding Email Scams, http://www.us-cert.gov/reading_room/emailscams_0905.pdf,
website last accessed March 29, 2012.
n. National Cyber Alert System Cyber Security Tip ST04-014,
http://www.us-cert.gov/cas/tips/ST04-014.html, website last accessed March 29,
2012.

- ------------------------------------------------------------------------------

ICS-CERT ADVISORY
ICSA-12-081-01 INVENSYS WONDERWARE SYSTEM PLATFORM BUFFER OVERFLOWS

March 30, 2012

OVERVIEW

ICS-CERT originally released Advisory ICSA-12-081-01P on the US-CERT secure
portal on March 21, 2012. This web page release was delayed to allow users time
to download and install the update.

Independent researcher Celil Unuver from SignalSec Corporation [a] has
identified two buffer overflow vulnerabilities in the WWCabFile component of
the Wonderware System Platform, which is used by multiple applications that run
on the platform. Invensys has produced a patch that resolves these
vulnerabilities. Mr. Unuver has tested the patch and verified that it resolves
the vulnerabilities.

AFFECTED PRODUCTS

The following Invensys products and versions are affected:

	* Wonderware Application Server 2012 and all prior versions 
	* Foxboro Control Software Version 3.1 and all prior versions 
	* InFusion CE/FE/SCADA 2.5 and all prior versions 
	* Wonderware Information Server 4.5 and all prior versions 
	* ArchestrA Application Object Toolkit 3.2 and all prior versions 
	* InTouch 10.0 to 10.5 only (earlier versions of InTouch are not
	affected).

NOTE: The Wonderware Historian is part of the System Platform but is not
affected by this Security Update.

IMPACT

Successfully exploiting these vulnerabilities will cause a buffer overflow that
may allow remote code execution. 

Impact to individual organizations depends on many factors that are unique to
each organization. 

ICS-CERT recommends that organizations evaluate the impact of these
vulnerabilities based on their operational environment, architecture, and
product implementation.

BACKGROUND

Wonderware System Platform, along with the Foxboro Control Software, is used
for designing, building, deploying, and maintaining standardized applications
for manufacturing and infrastructure operations. 

The Wonderware Information Server is a component of the System Platform and is
used for aggregating and presenting plant production and performance data.

HEAP-BASED BUFFER OVERFLOW [b]

A heap-based overflow can be used to overwrite function pointers that exist in
memory with pointers to the attackers code. Applications that do not explicitly
use function pointers are still vulnerable, as unrelated run-time programs can
leave operational function pointers in memory.

The heap-based buffer overflow in WWCabFile ActiveX Component can be exploited
by sending a long string of data to the Open member of the WWCabFile component.

Common Vulnerabilities and Exposures (CVE) Identifier CVE-2012-0257 [c] has
been assigned to this vulnerability. According to Invensys, a CVSS V2 base
score of 6.0 has also been assigned.

HEAP-BASED BUFFER OVERFLOW

The heap-based buffer overflow can be exploited by sending a long data string
to the AddFile member of the WWCabFile component.

CVE Identifier CVE-2012-0258 [d] has been assigned to this vulnerability.
According to Invensys, a CVSS V2 base score of 6.0 has also been assigned.

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities require user interaction to exploit, possibly by social
engineering. 

EXISTENCE OF EXPLOIT

No known public exploits specifically target these vulnerabilities.

DIFFICULTY

Invensys has rated these vulnerabilities as a medium concern based on exploit
difficulty and the potential that social engineering may be required.

MITIGATION

Invensys encourages users affected by these vulnerabilities to follow the
instructions in their security bulletin, found here: 

https://wdnresource.wonderware.com/support/docs/_SecurityBulletins/Security_Bulletin_LFSEC00000071.pdf

Installation of the Security Update does not require a reboot. If multiple
products are installed on the same node, the customer need only install the
Security Update once.

To install the update, Invensys recommends users to follow the instructions
found in the ReadMe file for the product and component being installed. In
general, Invensys recommends that users:

Back up the Galaxy Database 

Back up the Wonderware Information Server Database 

Run the Security Update Utility.

ICS-CERT encourages asset owners to take additional defensive measures to
protect against this and other cybersecurity risks.

	* Minimize network exposure for all control system devices. Critical
	devices should not directly face the Internet.

	* Locate control system networks and remote devices behind firewalls,
	and isolate them from the business network.

	* When remote access is required, use secure methods, such as Virtual
	Private Networks (VPNs), recognizing that VPN is only as secure as the
	connected devices.

The Control Systems Security Program (CSSP) also provides a section for control
systems security recommended practices on the CSSP web page. Several
recommended practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth 
Strategies. [e] ICS-CERT reminds organizations to perform proper impact
analysis and risk assessment prior to taking defensive measures.

In addition, ICS-CERT recommends that users take the following measures to
protect themselves from social engineering attacks: 
	
	1. Do not click web links or open unsolicited attachments in e-mail
	messages 
	
	2. Refer to Recognizing and Avoiding Email Scams [f] for more
	information on avoiding e-mail scams

	3. Refer to Avoiding Social Engineering and Phishing Attacks [g] for
	more information on social engineering attacks.

ICS-CERT CONTACT

For any questions related to this report, please contact ICS-CERT at:

E-mail: ics-cert@dhs.gov
Toll Free: 1-877-776-7585
For CSSP Information and Incident Reporting: www.ics-cert.org

DOCUMENT FAQ

What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide
awareness or solicit feedback from critical infrastructure owners and
operators concerning ongoing cyber events or activity with the potential to
impact critical infrastructure computing networks.

When is vulnerability attribution provided to researchers? Attribution for
vulnerability discovery is always provided to the vulnerability reporter unless
the reporter notifies ICS-CERT that they wish to remain anonymous. ICS-CERT
encourages researchers to coordinate vulnerability details before public
release. The public release of vulnerability details prior to the development
of proper mitigations may put industrial control systems and the public at
avoidable risk.

REFERENCES

a. SignalSec, http://www.signalsec.com/, website last accessed March 30, 2012.
b. http://cwe.mitre.org/data/definitions/122.html, website last accessed March
30, 2012.
c. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0257, NIST uses
this advisory to create the CVE website report. This website will be active
sometime after publication of this advisory.
d. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0258, NIST uses
this advisory to create the CVE website report. This website will be active
sometime after publication of this advisory.
e. CSSP Recommended Practices,
http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html,
website last accessed March 30, 2012.
f. Recognizing and Avoiding Email Scams,
http://www.us-cert.gov/reading_room/emailscams_0905.pdf,
website last accessed March 30, 2012.
g. National Cyber Alert System Cyber Security Tip ST04-014, http://www.us-cert.gov/cas/tips/ST04-014.html, website last 
accessed March 30, 2012.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIUAwUBT3pgwu4yVqjM2NGpAQIFFQ/4n2s2huxRe053AEOXl/fkjoHArApS9MvS
XHGbJ3Msl1GolrYE8aLg6QCTzpWQUnRiWPeZrnepJi3EZbSSg97azQ44ROA/o00O
44UKvLKeX8tuOxNHqG82KadyK/yXhMDPl+Cv7TfZmAUq9z/Wrb+fS+El/9oo/Pga
T8x5NyjBfCCr49geIhmVcGq9PR92KO1OXvFmQVKoHkqL++QTdLZGjxNGSZb1NoS1
ZyYJcynzlJOpXx8v7RZv7+0D5ECXpYrwLaMY+hoy2TSVi5Cv8kd6Se8J2vgnueLe
G+aMYALC9bSCNOuUDZvXx7XW62OksqaR4iJg1XFvKz2bbOzRhRlTVC44S0R+mpCR
8QYdRXTY/8yUrp6UqV0ht9i/e0jnbOug4EVA1w6s/ZoCmem5/ierf04R5tWuQG51
HjcYydCLPPJPgEldgNuEkVWQE1vfelBQwiXgJIq+FFr7Q4MSGWm7gQXjeBBIH7ky
J7sKmzjK5XmcPoLGSF/ziO1Zxnbi95BPpauQ+0cQNQOJxqnYUCn4TBnYNhB1jSfq
hb9POgY1uasRagSGG6fTjEklTrSiMFPVblA2UYOuZlBc6SOl44VP1H4dE46t9iIH
O5EKumZ2VvRAX1+aNkifHG1EtLdTBDIsXI5HNRILf2pDgniHp7A0B26DJX4t6z1L
DEl5Tkx/Vw==
=G1nY
-----END PGP SIGNATURE-----