About This Article
Document ID: ADV137
Customer Advisory
Buffer Overflow in RDBCMI.RuntimeDB.1 and WWView Active X Controls (CR LFSEC00000012 )
October 11, 2011
Invensys Operations Management is
committed to ensuring that our customers and employees are kept current
on issues that might affect or improve product, system or process
operation. We are dedicated to providing product and application
reliability, and exceptional client service.
Customer Advisories are intended to inform you of the possibility of a situation occurring at system installations, and the identified resolution. Invensys recommends that our customers consider taking action to help prevent occurrence of the identified situation during your production process.
Two vulnerabilities have been discovered in the Wonderware Information Server client side RDBCMI.RuntimeDB.1 and the WWView ActiveX controls. This vulnerability, if exploited, could cause a stack based buffer overflow that if exploited could cause remote code execution on the client machines of Wonderware Information Server 4.0 and older versions of the product. The rating is High but may require social engineering to exploit. Social engineering is when people are unknowingly manipulated to perform certain actions that may be detrimental to the system. For example, asking an end-user to click on an email link to a rogue site or download a malicious file.
This security bulletin announces that software updates are available
to customers running Wonderware Information Server 3.1, Wonderware
Information Server 4.0 and Wonderware Information Server 4.0 SP1. Please
refer to the “Affected Products and components” section to access the
updates.
Situation
Customers using supported
versions of Wonderware Information Server 3.1, 4.0 and 4.0 SP1 SHOULD
set the Security level settings in the Internet browser to Medium - High
to minimize the risk of an exploit of the vulnerability.
For information regarding how to secure Industrial Control Systems operating in a Microsoft Windows environment, please reference the
NVD Common Vulnerability Scoring System
The U.S. Department of Homeland Security has adopted the common
Vulnerability Scoring System (CVSS) that provides an open framework for
communicating the characteristics and impacts of IT vulnerabilities.
The system is comprised of components: impact, exploitability and
complexity as well as added determinants such as authentication and
impact type. In summary, the components such as impact are given an
individual score between 0.0 and 10.0. The average of all components is
the overall score where the maximum is 10.0. Details about this scoring
system can be found here:
For Wonderware Information Server 4.0 higher versions, our assessment
of the vulnerability using the CVSS Version 2.0 calculator rates an
Overall CVSS Score of 6.5 To review the assessment, use this link:
http://nvd.nist.gov/cvss.cfm?name=&vector=(AV:N/AC:H/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C)&version=2
Customers have the option in the Environmental Score Metrics section
of the calculator to further refine the assessment based on the
organizational environment of the installed product. Adding the
Environmental Score Metrics will assist the customer in determining the
operational consequences of this vulnerability on their installation.
Actions or Resolutions
Affected Products and Components
The following table identifies the currently supported products
affected . Software updates can be downloaded from the Wonderware
Development Network (“Software Download” area) and the Infusion
Technical Support websites using the links embedded in the table
below.
Product and Component | Supported Operating System | Security Impact |
Severity Rating |
Software Update |
Wonderware Information Server 3.1, 4.0 and 4.0 SP1– Clients (LFSEC00000012) |
Windows XP Professional Windows Server 2003 and SPs Windows Server 2003 R2 and SPs Windows Server 2008 and SPs |
Remote Code Execution | High |
Not Affected Products and components
Wonderware Information Server 4.5 version and higher will not be affected by this vulnerability.
Background
Wonderware Information Server provides the full spectrum of
industrial information content including process graphics, trends and
reports on a single web page.
Wonderware Information Server Web Clients are designed for the more casual user who relies on a Web browser to access real-time dashboards, pre-designed reports of industrial activities as well as the occasional requirement for ad-hoc analysis or write back capabilities to the process.
Vulnerability Characterization
The Wonderware Information Server RDBCMI.RuntimeDB.1 and WWView
Client-side ActiveX Controls contain vulnerabilities that may lead to
remote Code Execution the hosting application to shut down.
All end users of the WIS portal are affected by this vulnerability as the client side components are downloaded and installed upon the first visit to the portal. The components themselves are related to the original DisplayWin portal Application
ArchestrA Web Graphics are not affected by the vulnerability reported here.
Other Information
Acknowledgments
Invensys thanks the following for the discovery and collaboration with us on this vulnerability:
Billy Rios and Terry McCorkle as independent Security Researchers for reporting the Stack Based buffer overflows
Along with the continual support and collaboration from the ICS-CERT.
Support
For information on how to reach Invensys Operations Management support for your product, refer to this link:
Invensys Customer First Support
If you discover errors or omissions in this bulletin, please report the finding to support.
Invensys Operations Management Cyber Security Updates
For information and useful links related to security updates, please visit the Cyber Security Updates site.
Cyber Security Standards and Best Practices
For information regarding how to secure Industrial Control Systems operating in a Microsoft Windows environment, please reference the Invensys Securing Industrial Control Systems Guide
Invensys Operations Management Security Central
For the latest security information and events, visit Security Central
For Information
GCS Center | America's GCS | Asia Pacific GCS | EURA GCS |
Location | Foxboro MA USA | Singapore | Baarn NL |
Phone | +1-866-746-6477 | +65 6829 8899 | +31-3554-84125 |
Internationally | +1-508-549-2424 | ||
Fax | +1-508-549-4999 | +65 6829 8898 | +31-3554-84230 |
America's GCS | Asia Pacific GCS | EURA GCS |
Regards
John Petty
Director,
Global Customer Support
Distribution to Invensys Customers and Internal Personnel Only
DO NOT REPRODUCE.
All trademarks are registered to their respective owners.
All brand names are property of their respective owners.
All Rights Reserved.
Advisory #: 2011060abi