September 13, 2011 (updated October 21, 2011)

Luigi Auriemma has publically disclosed the following vulnerability with the Progea Movicon application.

Movicon is prone to two buffer overflow and one memory corruption vulnerabilities affecting the Progea Movicon’s PowerHMI product.

Remote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions.

Movicon 11.2 Build 1085 and earlier, Progea Movicon PowerHMI 11.2.1085 and earlier have been confirmed to be vulnerable.

SCADAhacker comment:
There was an additional disclosure
     Movicon 'dwmapi.dll" DLL Loading Arbitrary Code Execution Vulnerability
that was released at the same time by Mister Teatime, and was NOT mentioned in the ICS-CERT advisory, as it appeared to be a software bug that was fixed by the vendor.  Information and links have been provided below.

ICSA-11-294-01
ICS-ALERT-11-256-01

Security Hotfix/Patch (download link)
Vendor Homepage
Movicon 11.2 Product Page

Exploit-DB ID 17842
Security Focus (ID 49605)
Additional PoC links available in Disclosure Reference by Luigi Auriemma

CVE-2011-3491
NVD CVE-2011-3491
CVE-2011-3498
NVD CVE-2011-3498
CVE-2011-3499
NVD CVE-2011-3491

Disclosure (Luigi Auriemma) - Part 1 of 3
Disclosure (Luigi Auriemma) - Part 2 of 3
Disclosure (Luigi Auriemma) - Part 3 of 3
Exploit-DB ID 17842
Security Focus Vulnerability Info and Exploit Bugtraq ID 49604
Security Focus Vulnerability Info and Exploit Bugtraq ID 49605

IBM Internet Security Systems #69787
IBM Internet Security Systems #69788
IBM Internet Security Systems #69789
Open-Source Vulnerability Database #75491
Open-Source Vulnerability Database #75492
Open-Source Vulnerability Database #75493
Secunia Advisory #45969
Secunia Vulnerability Report and Statistics on Movicon 11.x

Patch Out for Moviecon HMI (ISSSource)
More SCADA Vulnerabilities Hit Industry (ISSSource)