All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
ICS-CERT Advisory ICSA-11-195-01P was originally released to the US-CERT Portal on July 14, 2011. This web page release was delayed to allow users sufficient time to download and install the update.
Independent security researchers Billy Rios and Terry McCorkle have identified a stack-based buffer overflow vulnerability that exists in two different ActiveX controls used by the Wonderware Information Server product. Successful exploitation of this vulnerability could allow remote code execution on a client running vulnerable versions of the software.
ICS-CERT has coordinated with the researchers and Invensys. Invensys has issued a patch to address this vulnerability. The researchers have confirmed this patch fully resolves this reported vulnerability in both vulnerable ActiveX controls.
The following Wonderware Information Server client versions are affected:
- Wonderware Information Server 3.1
- Wonderware Information Server 4.0
- Wonderware Information Server 4.0 SP1.
If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on vulnerable clients at the same privilege level as the exploited process.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Wonderware is a brand offering of the Operations Management Division of Invensys. Invensys Operations Management is a provider of automation and information technologies and systems.
The Wonderware Information Server is used in several industries including oil and gas, chemical, power, pharmaceutical, and water and wastewater treatment.
The Wonderware Information Server contains a stack-based buffer overflow.1 An attacker would need to create a specially crafted webpage or file for the client to open. Successfully exploiting the vulnerability could allow remote code execution in an affected client.
According to Invensys, the overall Common Vulnerability Scoring System (CVSS)2 severity score for this vulnerability is 6.0 (high) but may require social engineering to exploit.
This vulnerability is remotely exploitable. User interaction is likely required to exploit this vulnerability as users must open a malicious file or website on a client with the vulnerable ActiveX control installed in order to allow the execution of code to occur.
Existence of Exploit
No known exploits are specifically targeting this vulnerability.
A moderate set of skills are required to create a working exploit for this vulnerability. In addition, user interaction is required to successfully execute the exploit.
Invensys has developed a patch that fully resolves this vulnerability. This patch has been confirmed by the researchers. Customers of Invensys running vulnerable versions of Information Server can update their systems to the most recent patch release by following the steps provided by Invensys. In addition to applying this patch, Invensys has made additional recommendations to customers running vulnerable versions of the Information Server product.
- Log onto Cyber Security Updates site where Invensys provides information and useful links related to their security updates.
- Set the security level settings in the Internet browser to Medium−High to minimize the risk of an exploit of the vulnerability.
- For information regarding how to secure industrial control systems operating in a Microsoft Windows environment, please reference the Invensys Securing Industrial Control Systems Guide.
ICS-CERT also encourages asset owners to take the following defensive precautions:
- Minimize network exposure for all control system devices.
- Ensure critical control system devices do not directly face the Internet.
- Locate control system networks and remote devices behind firewalls.
- Isolate control system networks and remote devices from the business network.
- If remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the CSSP web page. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open unsolicited attachments in e-mail messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding e-mail scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.