November 4, 2011

Security research and service institute Information and Communication Security Technology Center (ICST) has identified a buffer overflow vulnerability that affects multiple Advantech OPC (OLE for Process Control) Server products.

Advantech ADAM OPC Server is prone to a remote buffer-overflow vulnerability because it fails to sufficiently validate user-supplied data. This issue affects an unspecified ActiveX control.

Attackers can exploit this issue to execute arbitrary code within the context of the affected application that uses the ActiveX control (typically Internet Explorer). Failed exploit attempts will result in a denial-of-service condition.

ICS-CERT originally released Advisory ICSA-11-279-01P on the US-CERT secure Portal on October 06, 2011. This web page release was delayed to allow users time to download and install the update.
This vulnerability may allow remote code execution and elevated user privileges.

Advantech has produced a new software version that mitigates this vulnerability. ICST has tested the new version and confirmed that it fully resolves this vulnerability.

ICSA-11-279-01
ICSA-11-279-01P - published Oct. 6, 2011 - FOR OFFICIAL USE ONLY

Advantech Important Notice - ADAM OPC Server Buffer Overflow
Advantech OPC Server Patch Downloads
Advantech OPC Server for ADAM & Modbus Device Product Information (includes Trial Software)
Advantech Industrial Automation Product Home Page

Security Focus (ID 50047)
No public exploit is available at this time.

CVE-2011-1914
NVD CVE-2011-1914

Security Focus Vulnerability Info and Exploit Bugtraq ID 50529

Advantech Holes in OPC Offerings (ISSSource)