November 8, 2011

Researcher Kuang-Chun Hung of Taiwan’s Information and Communication Security Technology Center (ICST) has reported a buffer overflow affecting Mitsubishi MX4 Supervisory Control and Data Acquisition (SCADA). Upon further investigation, MX4 SCADA was found to be a version of CitectSCADA, a product offered by Schneider Electric.

A buffer overflow vulnerability resides in a third-party component used by the CitectSCADA and MX4 SCADA Batch products. The vulnerability is caused due to a boundary error in the batch module when handling the logon sequence and can be exploited to cause a buffer overflow via an overly long string.  Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

The following products and versions are affected:
-  CitectSCADA V7.10 and prior using the CitectSCADA Batch Server module.
-  Mitsubishi MX4 SCADA V7.10 and prior using the MX4 SCADA Batch module.

ICSA-11-279-02
ICSA-11-279-01P (released on Oct. 6, 2011 via US-CERT secure Portal)

Security Notification for CitectSCADA Bach Server - released Aug. 23, 2011
Schneider Electric Safety and Security Knowledge Base
CitectSCADA Product Info (includes link for free download)
Schneider Citect Homepage
Mitsubishi MX4 SCADA Product Info
Mitsubishi MELSOFT Homepage

No public exploit is available at this time.

Not available at this time.

Secunia Advisory #46779
Secunia Advisory #46786
Secunia Vulnerability Report and Statistics on CitectSCADA 7.x
Secunia Vulnerability Report and Statistics on Mitsubishi MX4 SCADA 7.x

Third Party Vulnerability Hits Mitsubishi (ISSSource)