About This Article

Document ID: ADV137

Customer Advisory

Buffer Overflow in RDBCMI.RuntimeDB.1 and WWView Active X Controls (CR LFSEC00000012 )

October 11, 2011

Invensys Operations Management is committed to ensuring that our customers and employees are kept current on issues that might affect or improve product, system or process operation. We are dedicated to providing product and application reliability, and exceptional client service.

Customer Advisories are intended to inform you of the possibility of a situation occurring at system installations, and the identified resolution. Invensys recommends that our customers consider taking action to help prevent occurrence of the identified situation during your production process.

Two vulnerabilities have been discovered in the Wonderware Information Server client side RDBCMI.RuntimeDB.1 and the WWView ActiveX controls. This vulnerability, if exploited, could cause a stack based buffer overflow that if exploited could cause remote code execution on the client machines of Wonderware Information Server 4.0 and older versions of the product. The rating is High but may require social engineering to exploit. Social engineering is when people are unknowingly manipulated to perform certain actions that may be detrimental to the system. For example, asking an end-user to click on an email link to a rogue site or download a malicious file.

This security bulletin announces that software updates are available to customers running Wonderware Information Server 3.1, Wonderware Information Server 4.0 and Wonderware Information Server 4.0 SP1. Please refer to the “Affected Products and components” section to access the updates.

Situation

Customers using supported versions of Wonderware Information Server 3.1, 4.0 and 4.0 SP1 SHOULD set the Security level settings in the Internet browser to Medium - High to minimize the risk of an exploit of the vulnerability.

For information regarding how to secure Industrial Control Systems operating in a Microsoft Windows environment, please reference the

Invensys Securing Industrial Control Systems Guide

NVD Common Vulnerability Scoring System
The U.S. Department of Homeland Security has adopted the common Vulnerability Scoring System (CVSS) that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. The system is comprised of components: impact, exploitability and complexity as well as added determinants such as authentication and impact type. In summary, the components such as impact are given an individual score between 0.0 and 10.0. The average of all components is the overall score where the maximum is 10.0. Details about this scoring system can be found here:

http://nvd.nist.gov/cvss.cfm

For Wonderware Information Server 4.0 higher versions, our assessment of the vulnerability using the CVSS Version 2.0 calculator rates an Overall CVSS Score of 6.5 To review the assessment, use this link:

http://nvd.nist.gov/cvss.cfm?name=&vector=(AV:N/AC:H/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C)&version=2

Customers have the option in the Environmental Score Metrics section of the calculator to further refine the assessment based on the organizational environment of the installed product. Adding the Environmental Score Metrics will assist the customer in determining the operational consequences of this vulnerability on their installation.

Actions or Resolutions

Affected Products and Components

The following table identifies the currently supported products affected . Software updates can be downloaded from the Wonderware Development Network (“Software Download” area) and the Infusion Technical Support websites using the links embedded in the table below.

Product and Component

Supported Operating System

Security
Impact

Severity
Rating

Software
Update

Wonderware Information Server
3.1, 4.0 and 4.0 SP1– Clients
(LFSEC00000012)

Windows XP Professional
Windows Server 2003 and SPs
Windows Server 2003 R2 and SPs
Windows Server 2008 and SPs

Remote Code Execution

High

WIS 3.1 from GCS
(20.3 Mb)

WIS 4.0 and 4.1 from GCS
(18.0 Mb)

Not Affected Products and components
Wonderware Information Server 4.5 version and higher will not be affected by this vulnerability.

Background
Wonderware Information Server provides the full spectrum of industrial information content including process graphics, trends and reports on a single web page.

Wonderware Information Server Web Clients are designed for the more casual user who relies on a Web browser to access real-time dashboards, pre-designed reports of industrial activities as well as the occasional requirement for ad-hoc analysis or write back capabilities to the process.

Vulnerability Characterization
The Wonderware Information Server RDBCMI.RuntimeDB.1 and WWView Client-side ActiveX Controls contain vulnerabilities that may lead to remote Code Execution the hosting application to shut down.

All end users of the WIS portal are affected by this vulnerability as the client side components are downloaded and installed upon the first visit to the portal. The components themselves are related to the original DisplayWin portal Application

ArchestrA Web Graphics are not affected by the vulnerability reported here.

Other Information

Acknowledgments
Invensys thanks the following for the discovery and collaboration with us on this vulnerability:

Billy Rios and Terry McCorkle as independent Security Researchers for reporting the Stack Based buffer overflows

Along with the continual support and collaboration from the ICS-CERT.

Support
For information on how to reach Invensys Operations Management support for your product, refer to this link:
Invensys Customer First Support
If you discover errors or omissions in this bulletin, please report the finding to support.

Invensys Operations Management Cyber Security Updates
For information and useful links related to security updates, please visit the Cyber Security Updates site.

Cyber Security Standards and Best Practices
For information regarding how to secure Industrial Control Systems operating in a Microsoft Windows environment, please reference the Invensys Securing Industrial Control Systems Guide

Invensys Operations Management Security Central
For the latest security information and events, visit Security Central

For Information

If you have any questions regarding this notification, please contact your local Service Representative or an Invensys Support Center at:

GCS Center	America's GCS	Asia Pacific GCS	EURA GCS
Location	Foxboro MA USA	Singapore	Baarn NL
Phone	+1-866-746-6477	+65 6829 8899	+31-3554-84125
Internationally	+1-508-549-2424
Fax	+1-508-549-4999	+65 6829 8898	+31-3554-84230
Email	America's GCS	Asia Pacific GCS	EURA GCS

Regards

John Petty
Director,
Global Customer Support

Distribution to Invensys Customers and Internal Personnel Only
DO NOT REPRODUCE.
All trademarks are registered to their respective owners.
All brand names are property of their respective owners.

All Rights Reserved.

Advisory #: 2011060abi