All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
This advisory is a follow-up to ICS-ALERT-10-305-01 RealFlex RealWin Buffer Overflows, which was published on the ICS-CERT Web site on November 01, 2010.
On October 15, 2010 an independent security researcher posted informationa regarding vulnerabilities in RealFlex Technologies Ltd. RealWin SCADA software products. The security researcher’s analysis indicated that successful exploitation of these vulnerabilities can lead to arbitrary code execution and control of the system.
RealFlex Technologies has validated the researcher’s findings and released an updateb to resolve these issues. ICS-CERT has verified that the software update resolves the vulnerabilities highlighted by the researcher.
All RealWin versions up to and including Version 2.1.8 (Build 6.1.8) are affected by these vulnerabilities.
RealWin is used in small installations for a variety of applications including monitoring water pumping stations, reservoirs, and water treatment plants.
Exploitation of these vulnerabilities may result in remote code execution. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.
RealFlex Technologies was established in 1982 and has offices in Limerick, Ireland; Houston, Texas; and Saratov, Russia. RealFlex Technologies products are used in more than 45 countries with primary sectors being power, oil and gas, water and wastewater, marine, transport, chemical, manufacturing, and telecommunications.
RealWin runs on Microsoft Windows platforms (2000 and XP). It can run on a single system or on multiple PCs connected through a TCP/IP network.
According to the researcher’s report, the service listening on TCP Port 912 is vulnerable to multiple stack-based buffer overflows from specially crafted packets. The stack-based buffer overflows are caused by use of the “sprintf” and “strcpy” functions in the RealWin software.
An attacker with an intermediate skill level could create code to exploit these vulnerabilities. Organizations should be aware that a Metasploit1 module is available for these vulnerabilities and the researcher has also made his exploit code publicly available.
RealFlex has addressed these vulnerabilities with a software update available on the company’s web site.c
RealWin customers who have any questions can contact RealFlex at email@example.com.
The following mitigations are recommended:
- Update RealWin to Version 2.1.10 (Build 6.1.10).
- Ensure that your firewall is restricting access to TCP port 912. RealWin does not require external access to port 912 as it is only used internally on the PC between the communication modules and theRealWin module.
- Encourage asset owners to minimize network exposure for all control system devices. Critical control system and/or network devices should not directly face the Internet. Control system networks and remote devices should be located behind firewalls, and kept isolated from the business network. If remote access is required, secure methods such as Virtual Private Networks (VPNs) should be utilized, recognizing that VPNs are only as secure as the components at each end of the connection.
Refer to the Control System Security Program Recommended Practices section for control systems on the US-CERT web site. Several recommended practices are available for reading or downloading, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
As with all system changes, administrators should consult their control systems vendor prior to making any control system changes.
Organizations should follow their established internal procedures if any suspected malicious activity is observed and report their findings to ICS-CERT for tracking and correlation against other incidents. ICSCERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.
- a. Researcher, http://aluigi.altervista.org/adv/realwin1-adv.txt, website last visited November 4, 2010.
- b. RealFlex, http://csrealflex.com/cs/index.ssp, website last visited November 8, 2010.
- 1. Metasploit, http://www.metasploit.com, website last visited November 8, 2010.
- c. RealFlex, http://cs realflex.com/cs/index.ssp, web site last visited November 8, 2010.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.