AusCERT - ESB-2012.0497 - ALERT [Win] Measuresoft ScadaPro: Execute arbitrary code/commands

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2012.0497 - ALERT [Win] Measuresoft ScadaPro: Execute arbitrary code/commands - Remote/unauthenticated
Date: 28 May 2012

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0497
              ICSA-12-145-01 MEASURESOFT SCADAPRO DLL HIJACK
                                28 May 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Measuresoft ScadaPro Server prior to 4.0.0
                   Measuresoft ScadaPro Client prior to 4.0.0
Publisher:         US-CERT
Operating System:  Windows 7
                   Windows Vista
                   Windows XP
                   Windows Server 2003
                   Windows 2000
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-1824  

Original Bulletin: 
   http://www.us-cert.gov/control_systems/pdf/ICSA-12-145-01.pdf

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS-CERT ADVISORY
ICSA-12-145-01 MEASURESOFT SCADAPRO DLL HIJACK
May 24, 2012

OVERVIEW

Independent researcher Carlos Mario Penagos Hollmann identified a remotely 
exploitable, uncontrolled search path element vulnerability, commonly referred 
to as a DLL hijack, in Measuresofts ScadaPro application. Measuresoft has
produced an upgrade to address this vulnerability. Mr. Hollmann has verified 
that the new version resolves the vulnerability.

AFFECTED PRODUCTS

The following Measuresoft products are affected:
 ScadaPro Server, prior to Version 4.0.0, and
 ScadaPro Client, prior to Version 4.0.0.

IMPACT

Successful exploitation of this vulnerability may lead to arbitrary code 
execution.

Impact to individual organizations depends on many factors that are unique to 
each organization. ICS-CERT recommends that organizations evaluate the impact 
of these vulnerabilities based on their operational environment, architecture, 
and product implementation.

BACKGROUND

ScadaPro is a supervisory control and data acquisition (SCADA) system used in 
the power generation, oil and gas, pharmaceuticals, and manufacturing sectors. 
According to Measuresoft, ScadaPro is sold in multiple countries by various 
third-party distributors, making total deployment difficult to quantify.

Measuresoft Development Ltd. is headquartered in Louth, Ireland, with an office 
in Missouri City, Texas.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

UNCONTROLLED SEARCH PATH ELEMENT (a)

ScadaPro uses a fixed or controlled search path to find resources, which could 
allow an unauthorized user to easily locate and exploit one or more locations. 
An unauthorized user could place a malicious DLL in a directory where it could 
be loaded before the valid DLL. An attacker must have access to the host file 
system to exploit this vulnerability. If exploited, this vulnerability could 
allow execution of arbitrary code.

CVE-2012-1824b has been assigned to this vulnerability. A CVSS v2 base score of 
6 has been assigned; the CVSS vector string is (AV:L/AC:H/Au:S/C:C/I:C/A:C).(c)

VULNERABILITY DETAILS

EXPLOITABILITY

This vulnerability can be remotely exploited.

EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.

DIFFICULTY

An attacker with a moderate skill level could be able to exploit these 
vulnerabilities.

MITIGATION

Measuresoft has produced an upgrade to address this vulnerability. Links to the 
upgrade can be found here:
 ScadaPro Server: http://www.measuresoft.net/download/versions.aspx?v=CB&d=Server, 
 and
 ScadaPro Client: http://www.measuresoft.net/download/versions.aspx?v=CB&d=Client.
Microsoft has also released a Security Advisory (2269637). (d)

(a). CWE,
http://cwe.mitre.org/data/definitions/427.html, Web site last accessed May 25, 
2012.
(b). NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1824, NIST 
uses this ICS-CERT Advisory to create the CVE Web site report. This Web site 
will be active sometime after publication of this advisory.
(c). CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:L/AC:H/Au:S/C:C/I:C/A:C), 
Web site last visited May 25, 2012.

ICS-CERT encourages asset owners to take additional defensive measures to 
protect against this and other cybersecurity risks.

 Do not click web links or open unsolicited attachments in email messages.

 Refer to Recognizing and Avoiding Email Scams (e)

 Refer to Avoiding Social Engineering and Phishing Attacks for more information 
 on avoiding email scams. (f)

 Minimize network exposure for all control system devices. Critical devices 
 should not directly face the Internet. for more information on social 
 engineering attacks.

 Locate control system networks and remote devices behind firewalls, and 
 isolate them from the business network.

 When remote access is required, use secure methods, such as Virtual Private 
 Networks (VPNs), recognizing that VPN is only as secure as the connected 
 devices.

The Control Systems Security Program (CSSP) also provides a section for control 
systems security recommended practices on the CSSP web page. Several 
recommended practices are available for reading and download, including 
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth 
Strategies. (g)
Organizations observing any suspected malicious activity should follow their 
established internal procedures and report their findings to ICS-CERT for 
tracking and correlation against other incidents. ICS-CERT reminds 
organizations to perform proper impact analysis and risk assessment prior to 
taking defensive measures.

(d). Microsoft Security Advisory, http://technet.microsoft.com/en-us/security/advisory/2269637, 
Web site visited May 25, 2012.
(e). Recognizing and Avoiding Email Scams, http://www.us-cert.gov/reading_room/emailscams_0905.pdf, 
Web site last accessed May 25, 2012
(f). National Cyber Alert System Cyber Security Tip ST04-014, http://www.us-cert.gov/cas/tips/ST04-014.html, 
Web site last accessed May 25, 2012
(g). CSSP Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html, 
Web site last accessed May 25, 2012.

ICS-CERT CONTACT
For any questions related to this report, please contact ICS-CERT at:
Email: ics-cert@dhs.gov Toll Free: 1-877-776-7585 For CSSP Information and 
Incident Reporting: www.ics-cert.org

DOCUMENT FAQ

What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide 
awareness or solicit feedback from critical infrastructure owners and 
operators concerning ongoing cyber events or activity with the potential to 
impact critical infrastructure computing networks.

When is vulnerability attribution provided to researchers? Attribution for 
vulnerability discovery is always provided to the vulnerability reporter 
unless the reporter notifies ICS-CERT that they wish to remain anonymous. 
ICS-CERT encourages researchers to coordinate vulnerability details before 
public release. The public release of vulnerability details prior to the 
development of proper mitigations may put industrial control systems and the 
public at avoidable risk.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT8LU8+4yVqjM2NGpAQLGvg/8DeZ8R9hN1l/OZMf72w/qB3qAfEKuuKwL
wcg9Cv3l6KoQcT2LxghiUesO3lK+D5Lqh3t9ylvFpIAXG2311mfK1tkr9NmfQQNm
boauVqPZWPH1f8x2Mvpu1DfZId1+7//UcVQoe9BCypD/4izxpfkrdqy6pWV5eDie
XDC1ppYWJCMGtansYzyw7ncNDP3apB2TjpEbiyMGaY7DnbxX8x6qxQTAf48dN5I3
fr4tvIvl0rCxTu/Ut/zNXr2jp58SIh6EzRiEm1B5hMoV0Qv5+tFvdUbZ7sjptbVh
19Qxdul9rylCuV2sjQTc0M8W408nLF+xndFk3VI/SVm3QaGG9NCbaQo/AOCehPxA
u+7DNXn4OWYYq5hamViUjX5b6BVdGN7ruBgO4/GRsi+yBhfJiVRPXaA58W5/pmPP
1Eh8HNdtGdFzLfZKW9SPlWTTziQCey6UwNYWvp5f/eYfGT4QsQfYJ3rkVn495ukP
JpmGYsqFXnoat8yJJalAtjrmIVHfm7kaq7rbDgpn1Ad1/s4pldgaEiUuKg3IByVS
5LdbSLIfubXbIZ9wkW07ceEwpExfDyPcljJHHiYdgIirsLUpf4lOuWjD08Nji+99
Kfi4bzM+RycTbMN9BIRQeJazmnePjE/U2NaoN2FG1GMxZcqbeNemAg7B0roqQGmz
BXsbL7oxqMI=
=Fh8U
-----END PGP SIGNATURE-----