Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0337 Ivensys Wonderware Multiple Vulnerabilities 3 April 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Invensys Wonderware Information Server Invensys Wonderware System Platform Publisher: US-CERT Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-0258 CVE-2012-0257 CVE-2012-0228 CVE-2012-0226 CVE-2012-0225 Original Bulletin: http://www.us-cert.gov/control_systems/pdf/ICSA-12-062-01.pdf http://www.us-cert.gov/control_systems/pdf/ICSA-12-081-01.pdf Comment: This bulletin contains two (2) US-CERT security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- ICS-CERT ADVISORY ICSA-12-062-01 INVENSYS WONDERWARE INFORMATION SERVER MULTIPLE VULNERABILITIES April 02, 2012 OVERVIEW ICS-CERT originally released Advisory ICSA-12-062-01P - Invensys Wonderware Information Server Multiple Vulnerabilities on the US-CERT secure portal on March 02, 2012. This web page release was delayed to allow users time to download and install the update. Independent security researchers Terry McCorkle and Billy Rios have identified multiple vulnerabilities in the Invensys Wonderware Information Server. Invensys has developed a security update to address these affected products. Invensys has expressed appreciation to Billy Rios and Terry McCorkle as independent security researchers for the discovery and collaboration with Invensys on resolving these vulnerabilities. AFFECTED PRODUCTS The following Invensys Wonderware Information Server versions are affected: 4.0 SP1 and 4.5 - Portal 4.0 SP1 and 4.5 - Client. The following Invensys Wonderware Historian Client version is affected: Only Wonderware Historian Client versions installed on the same node as the Wonderware Information Server Portal or Client are subject to the vulnerabilities reported in this Advisory. IMPACT These vulnerabilities, if exploited, could allow denial of service, information disclosure, remote code execution, or session credential high jacking. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. BACKGROUND The Invensys [a] Wonderware Information Server is used in many industries worldwide, including manufacturing, energy, food and beverage, chemical, and water and wastewater. The Information Server provides industrial information content including process graphics, trends, and reports. The Invensys Wonderware Information Server Web Clients provides access to reports, analysis, or write back capabilities to processes. VULNERABILITY OVERVIEW CROSS-SITE SCRIPTING [b] This vulnerability enables an attacker to inject client side script into web pages viewed by other users or bypass client side security mechanisms imposed by modern web browsers. This vulnerability, if exploited, could allow arbitrary code execution and may require social engineering to exploit. CVE-2012-0225 [c] has been assigned to this vulnerability. The Invensys assessment of the compound vulnerabilities using the CVSS [d] Version 2.0 calculator rates an Overall CVSS Score of 8.1. [e] SQL INJECTION [f] This vulnerability can be used by an attacker to perform database operations that were unintended by the web application designer and, in some instances, can lead to total compromise of the database server. This vulnerability, if exploited, could allow arbitrary code execution. CVE-2012-0226 [g] has been assigned to this vulnerability. The Invensys assessment of the compound vulnerabilities using the CVSS [h] Version 2.0 calculator rates an Overall CVSS Score of 8.1. [e] PERMISSIONS, PRIVLEGES, AND ACCESS CONTROLS [i] The security access permissions issues with client controls can lead to denial of service. CVE-2012-0228 [j] has been assigned to this vulnerability. The Invensys assessment of the compound vulnerabilities using the CVSS [k] Version 2.0 calculator rates an Overall CVSS Score of 8.1. [e] VULNERABILITY DETAILS EXPLOITABILITY These vulnerabilities are remotely exploitable. EXISTENCE OF EXPLOIT No known exploits specifically target these vulnerabilities. DIFFICULTY An attacker with a low skill level can create the denial of service, whereas it would require a more skilled attacker to execute arbitrary code. This attack may require social engineering to exploit. MITIGATION Invensys has developed software updates to address the reported vulnerabilities. Customers of Invensys running vulnerable versions of Invensys Wonderware Information Server and Invensys Wonderware Historian Client can update their systems to the most recent software updates released by following the steps provided by Invensys. Invensys software updates can be downloaded from the Wonderware Development Network (Software Download area) and the Infusion Technical Support website: https://wdn.wonderware.com/sites/WDN/Pages/Downloads/Software.aspx. The following steps are provided by Invensys for update information. Install the Security Update using instructions provided in the ReadMe file for the product and component being installed. In general, the user should proceed as indicated below: 1. Wonderware Information Server Portal component: Run the Hotfix Install Utility. 2. Wonderware Information Server Client component: Uninstall the client from Add/Remove Programs (ClientSetup.msi), clear the IE cache (see specific instructions in the Readme file provided with the Security Update) and access the Wonderware Information Server site. 3. If Step 2 and Step 3 are on the same node, perform the functions in Step 2 and also run the Hotfix Install Utility. In addition to applying the software updates, Invensys has made additional recommendations to customers running vulnerable versions of the Invensys Wonderware Information Server and Invensys Wonderware Historian Client products. Customers using versions of the products prior to Invensys Wonderware Information Server 5.0 and Invensys Wonderware Historian Client 10 SP3 should apply the security update to all nodes where the Portal and Client components are installed. (All browser clients of the portal are affected and should be patched). Customers using the affected versions of Invensys Wonderware Information Server should set the security level settings in the Internet browser to Medium-High to minimize the risks presented by these vulnerabilities. ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks. * Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. * Locate control system networks and remote devices behind firewalls, and isolate them from the business network. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices. The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Stragies [l]. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks: 1. Do not click web links or open unsolicited attachments in e-mail messages 2. Refer to Recognizing and Avoiding Email Scams [m] for more information on avoiding e-mail scams. 3. Refer to Avoiding Social Engineering and Phishing Attacks [n] for more information on social engineering attacks. ICS-CERT CONTACT For any questions related to this report, please contact ICS-CERT at: E-mail: ics-cert@dhs.gov Toll Free: 1-877-776-7585 For CSSP Information and Incident Reporting: www.ics-cert.org DOCUMENT FAQ What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide awareness or solicit feedback from critical infrastructure owners and operators concerning ongoing cyber events or activity with the potential to impact critical infrastructure computing networks. When is vulnerability attribution provided to researchers? Attribution for vulnerability discovery is always provided to the vulnerability reporter unless the reporter notifies ICS-CERT that they wish to remain anonymous. ICS-CERT encourages researchers to coordinate vulnerability details before public release. The public release of vulnerability details prior to the development of proper mitigations may put industrial control systems and the public at avoidable risk. REFERENCES a. http://www.invensys.com/, website last accessed March 29, 2012. b. http://cwe.mitre.org/data/definitions/79.html, website last accessed March 29, 2012. c. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0225, NIST uses this advisory to create the CVE website report. This website will be active sometime after publication of this advisory. d. http://nvd.nist.gov/cvss.cfm, website last accessed March 29, 2012. e. National Vulnerability Database Calculator for LFSEC00000069 ,website last accessed March 29, 2012. f. http://cwe.mitre.org/data/definitions/89.html, website last accessed March29, 2012. g. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0226, NIST uses this advisory to create the CVE website report. This website will be active sometime after publication of this advisory. h. http://nvd.nist.gov/cvss.cfm, website last accessed March 29, 2012. i. http://cwe.mitre.org/data/definitions/264.html, website last accessed March 29, 2012 j. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0228, NIST uses this advisory to create the CVE website report. This website will be active sometime after publication of this advisory. k. http://nvd.nist.gov/cvss.cfm, website last accessed March 29, 2012. l. CSSP Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html, website last accessed March 29, 2012. m. Recognizing and Avoiding Email Scams, http://www.us-cert.gov/reading_room/emailscams_0905.pdf, website last accessed March 29, 2012. n. National Cyber Alert System Cyber Security Tip ST04-014, http://www.us-cert.gov/cas/tips/ST04-014.html, website last accessed March 29, 2012. - ------------------------------------------------------------------------------ ICS-CERT ADVISORY ICSA-12-081-01 INVENSYS WONDERWARE SYSTEM PLATFORM BUFFER OVERFLOWS March 30, 2012 OVERVIEW ICS-CERT originally released Advisory ICSA-12-081-01P on the US-CERT secure portal on March 21, 2012. This web page release was delayed to allow users time to download and install the update. Independent researcher Celil Unuver from SignalSec Corporation [a] has identified two buffer overflow vulnerabilities in the WWCabFile component of the Wonderware System Platform, which is used by multiple applications that run on the platform. Invensys has produced a patch that resolves these vulnerabilities. Mr. Unuver has tested the patch and verified that it resolves the vulnerabilities. AFFECTED PRODUCTS The following Invensys products and versions are affected: * Wonderware Application Server 2012 and all prior versions * Foxboro Control Software Version 3.1 and all prior versions * InFusion CE/FE/SCADA 2.5 and all prior versions * Wonderware Information Server 4.5 and all prior versions * ArchestrA Application Object Toolkit 3.2 and all prior versions * InTouch 10.0 to 10.5 only (earlier versions of InTouch are not affected). NOTE: The Wonderware Historian is part of the System Platform but is not affected by this Security Update. IMPACT Successfully exploiting these vulnerabilities will cause a buffer overflow that may allow remote code execution. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. BACKGROUND Wonderware System Platform, along with the Foxboro Control Software, is used for designing, building, deploying, and maintaining standardized applications for manufacturing and infrastructure operations. The Wonderware Information Server is a component of the System Platform and is used for aggregating and presenting plant production and performance data. HEAP-BASED BUFFER OVERFLOW [b] A heap-based overflow can be used to overwrite function pointers that exist in memory with pointers to the attackers code. Applications that do not explicitly use function pointers are still vulnerable, as unrelated run-time programs can leave operational function pointers in memory. The heap-based buffer overflow in WWCabFile ActiveX Component can be exploited by sending a long string of data to the Open member of the WWCabFile component. Common Vulnerabilities and Exposures (CVE) Identifier CVE-2012-0257 [c] has been assigned to this vulnerability. According to Invensys, a CVSS V2 base score of 6.0 has also been assigned. HEAP-BASED BUFFER OVERFLOW The heap-based buffer overflow can be exploited by sending a long data string to the AddFile member of the WWCabFile component. CVE Identifier CVE-2012-0258 [d] has been assigned to this vulnerability. According to Invensys, a CVSS V2 base score of 6.0 has also been assigned. VULNERABILITY DETAILS EXPLOITABILITY These vulnerabilities require user interaction to exploit, possibly by social engineering. EXISTENCE OF EXPLOIT No known public exploits specifically target these vulnerabilities. DIFFICULTY Invensys has rated these vulnerabilities as a medium concern based on exploit difficulty and the potential that social engineering may be required. MITIGATION Invensys encourages users affected by these vulnerabilities to follow the instructions in their security bulletin, found here: https://wdnresource.wonderware.com/support/docs/_SecurityBulletins/Security_Bulletin_LFSEC00000071.pdf Installation of the Security Update does not require a reboot. If multiple products are installed on the same node, the customer need only install the Security Update once. To install the update, Invensys recommends users to follow the instructions found in the ReadMe file for the product and component being installed. In general, Invensys recommends that users: Back up the Galaxy Database Back up the Wonderware Information Server Database Run the Security Update Utility. ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks. * Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. * Locate control system networks and remote devices behind firewalls, and isolate them from the business network. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices. The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. [e] ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures. In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks: 1. Do not click web links or open unsolicited attachments in e-mail messages 2. Refer to Recognizing and Avoiding Email Scams [f] for more information on avoiding e-mail scams 3. Refer to Avoiding Social Engineering and Phishing Attacks [g] for more information on social engineering attacks. ICS-CERT CONTACT For any questions related to this report, please contact ICS-CERT at: E-mail: ics-cert@dhs.gov Toll Free: 1-877-776-7585 For CSSP Information and Incident Reporting: www.ics-cert.org DOCUMENT FAQ What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide awareness or solicit feedback from critical infrastructure owners and operators concerning ongoing cyber events or activity with the potential to impact critical infrastructure computing networks. When is vulnerability attribution provided to researchers? Attribution for vulnerability discovery is always provided to the vulnerability reporter unless the reporter notifies ICS-CERT that they wish to remain anonymous. ICS-CERT encourages researchers to coordinate vulnerability details before public release. The public release of vulnerability details prior to the development of proper mitigations may put industrial control systems and the public at avoidable risk. REFERENCES a. SignalSec, http://www.signalsec.com/, website last accessed March 30, 2012. b. http://cwe.mitre.org/data/definitions/122.html, website last accessed March 30, 2012. c. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0257, NIST uses this advisory to create the CVE website report. This website will be active sometime after publication of this advisory. d. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0258, NIST uses this advisory to create the CVE website report. This website will be active sometime after publication of this advisory. e. CSSP Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html, website last accessed March 30, 2012. f. Recognizing and Avoiding Email Scams, http://www.us-cert.gov/reading_room/emailscams_0905.pdf, website last accessed March 30, 2012. g. National Cyber Alert System Cyber Security Tip ST04-014, http://www.us-cert.gov/cas/tips/ST04-014.html, website last accessed March 30, 2012. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIUAwUBT3pgwu4yVqjM2NGpAQIFFQ/4n2s2huxRe053AEOXl/fkjoHArApS9MvS XHGbJ3Msl1GolrYE8aLg6QCTzpWQUnRiWPeZrnepJi3EZbSSg97azQ44ROA/o00O 44UKvLKeX8tuOxNHqG82KadyK/yXhMDPl+Cv7TfZmAUq9z/Wrb+fS+El/9oo/Pga T8x5NyjBfCCr49geIhmVcGq9PR92KO1OXvFmQVKoHkqL++QTdLZGjxNGSZb1NoS1 ZyYJcynzlJOpXx8v7RZv7+0D5ECXpYrwLaMY+hoy2TSVi5Cv8kd6Se8J2vgnueLe G+aMYALC9bSCNOuUDZvXx7XW62OksqaR4iJg1XFvKz2bbOzRhRlTVC44S0R+mpCR 8QYdRXTY/8yUrp6UqV0ht9i/e0jnbOug4EVA1w6s/ZoCmem5/ierf04R5tWuQG51 HjcYydCLPPJPgEldgNuEkVWQE1vfelBQwiXgJIq+FFr7Q4MSGWm7gQXjeBBIH7ky J7sKmzjK5XmcPoLGSF/ziO1Zxnbi95BPpauQ+0cQNQOJxqnYUCn4TBnYNhB1jSfq hb9POgY1uasRagSGG6fTjEklTrSiMFPVblA2UYOuZlBc6SOl44VP1H4dE46t9iIH O5EKumZ2VvRAX1+aNkifHG1EtLdTBDIsXI5HNRILf2pDgniHp7A0B26DJX4t6z1L DEl5Tkx/Vw== =G1nY -----END PGP SIGNATURE-----