Date: 05 July 2012
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0644
ICSA-12-171-01 - WONDERWARE SUITELINK UNALLOCATED UNICODE
STRING VULNERABILITY
5 July 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Invensys Wonderware SuiteLink
Publisher: US-CERT
Operating System: Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-3007 CVE-2012-3847
Original Bulletin:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-171-01.pdf
Comment: This vulnerability can be exploited remotely, and public exploits are
known to target this vulnerability.
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS-CERT ADVISORY
ICSA-12-171-01 - WONDERWARE SUITELINK UNALLOCATED UNICODE STRING VULNERABILITY
June 19, 2012
OVERVIEW
This Advisory is a follow-up to the original ICS-CERT Alert titled
ICS-ALERT-12-136-01 - Wonderware SuiteLink Unallocated Unicode String that was
published May 15, 2012 on the ICS-CERT web page.
Independent researcher Luigi Auriemma identified a maliciously crafted Unicode
string vulnerability causing a stack-based buffer overflow with proof-of-
concept (PoC) exploit code that affects the Invensys Wonderware SuiteLink
service (slssvc.exe). This vulnerability was released without coordinating with
ICS-CERT or the vendor. This vulnerability can be exploited remotely, and
public exploits are known to target this vulnerability. Wonderware SuiteLink is
part of the System Platform software suite.
ICS-CERT has coordinated this vulnerability with Invensys. Invensys has
confirmed the vulnerability exists for Wonderware products built prior to 2011.
Invensys has produced a patch that resolves this vulnerability. This patch
validation was confirmed by Luigi Auriemma.
AFFECTED PRODUCTS
All Wonderware products built prior to 2011 are affected:
slssvc service less than or equal to Version 54.x.x.x is vulnerable, and
slssvc service equal to or greater than Version 58.x.x.x is not vulnerable.
Slssvc service Versions 5557 were never publicly released. InTouch 2012 and
Wonderware Application Server 2012 are not vulnerable to crash but will show
excessive resource consumption if exploited.
IMPACT
The vulnerability allows an attacker to cause a buffer overflow that can
ultimately lead to a denial-of-service (DoS) and crash of the system in some
versions.
The vulnerability allows an attacker to remotely stall or crash the slssvc
service by sending a long and unallocated Unicode string to the buffer. This
exploit could affect critical infrastructure and key resources where Wonderware
SuiteLink is deployed.
Impact to individual organizations depends on many factors that are unique to
each organization. ICS-CERT recommends that organizations evaluate the impact
of this vulnerability based on their operational environment, architecture, and
product implementation.
BACKGROUND
SuiteLink is a common component used for communication between Wonderware
products. It is also used for communication between Wonderware products and
some third-party products developed with Wonderwares Extensibility Tool Kits.
The Invensys Wonderware SuiteLink Service connects Wonderware software with
third-party products and OPC-compliant devices and applications. Generally,
when a Wonderware product is installed, SuiteLink is likely also installed as a
common component. The SuiteLink service is a common component of the System
Platform used to transport value, time, and quality of digital I/O information
and extensive diagnostics with high throughput between industrial devices,
third party, and Wonderware products.
The Invensys (a) Wonderware SuiteLink component is deployed in many industries
worldwide, including manufacturing, energy, food and beverage, chemical, and
water and wastewater.
VULNERABILITY CHARACTERIZATION
VULNERABILITY OVERVIEW
STACK-BASED BUFFER OVERFLOW (b)
Attackers can send an oversized unallocated string into the SuiteLink buffer
that causes the allocated stack buffer to be overwritten. This attack causes a
crash of slssvc.exe and a DoS.
CVE-2012-3007 (c) has been assigned to this vulnerability. A CVSS V2 base score
of 7.1 has also been assigned (AV:N/AC:M/Au:N/C:N/I:N/A:C).(d)
a. Invensys, http://www.invensys.com/, Web site last accessed June 19, 2012.
b. CWE-121: Stack Based Buffer Overflow, http://cwe.mitre.org/data/definitions/121.html,
Web site last accessed June 19, 2012.
c. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3007 , NIST
uses this advisory to create the CVE Web site report. This Web site will be
active sometime after publication of this advisory.
VULNERABILITY DETAILS
EXPLOITABILITY
This vulnerability is remotely exploitable.
EXISTENCE OF EXPLOIT
Public exploits are known to target this vulnerability.
DIFFICULTY
An attacker with a low skill level would be able to exploit this vulnerability.
MITIGATION
Invensys recommends the following mitigations.
Apply security update patch to affected nodes.
Upgrade to InTouch/Wonderware Application Server (IT 10.5, WAS 3.5) or later.
Upgrade to DASABCIP 4.1 SP2 or DASSiDirect 3.0.
Install DAServer Runtime Components Upgrade 3.0 SP2, 3.0 SP3 or higher for any
DAServer, DI Object, or third-party DAServer installation.
The Invensys security update patch can be found at the Wonderware download Web
site. (e)
ICS-CERT encourages asset owners to take additional defensive measures to
protect against this and other cybersecurity risks. Customers can refer to
Invensys Security Central for further security information.
Minimize network exposure for all control system devices. Critical devices
should not directly face the Internet.
Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing that VPN is only as secure as the connected
devices.
The Control Systems Security Program (CSSP) also provides a section for control
systems security recommended practices on the CSSP web page. Several
recommended practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies. (f) Organizations observing any suspected malicious activity should
follow their established internal procedures and report their findings to
ICS-CERT for tracking and correlation against other incidents. ICS-CERT
reminds organizations to perform proper impact analysis and risk assessment
prior to taking defensive measures.
ICS-CERT CONTACT
For any questions related to this report, please contact ICS-CERT at:
Email: ics-cert@dhs.gov Toll Free: 1-877-776-7585 For CSSP Information and
Incident Reporting: www.ics-cert.org
DOCUMENT FAQ
What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide
awareness or solicit feedback from critical infrastructure owners and
operators concerning ongoing cyber events or activity with the potential to
impact critical infrastructure computing networks.
When is vulnerability attribution provided to researchers? Attribution for
vulnerability discovery is always provided to the vulnerability reporter
unless the reporter notifies ICS-CERT that they wish to remain anonymous.
ICS-CERT encourages researchers to coordinate vulnerability details before
public release. The public release of vulnerability details prior to the
development of proper mitigations may put industrial control systems and the
public at avoidable risk.
a. Invensys, http://www.invensys.com/, Web site last accessed June 19, 2012.
b. CWE-121: Stack Based Buffer Overflow,
http://cwe.mitre.org/data/definitions/121.html,
Web site last accessed June 19, 2012.
c. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3007 , NIST
uses this advisory to create the CVE Web site report. This Web site will be
active sometime after publication of this advisory.
d. CVSS Score, http://nvd.nist.gov/cvss.cfm?adv&name=&vector=%28AV:N/AC:M/Au:N/C:N/I:N/A:C%29&version=2, Web site last accessed June 19, 2012.
e. Wonderware SuiteLink security update patch location,
https://wdn.wonderware.com/sites/WDN/Pages/Downloads/Software.aspx, Web site
last accessed June 19, 2012.
f. CSSP Recommended Practices,
http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html,
Web site last accessed June 19, 2012.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT/UV/O4yVqjM2NGpAQI0bA/9HyHK7HKTtCigx7n9UiLsXxi8ETc3UW3J
oj1hP4HtgwPkTYzkX6W8k3Y+9XcRcb1EhVx3LsgUoHu7EJYzd8eb4y7c6v8nhZ2j
FmBadZUklC/IQ/adaucHYIpxX8LYgPuh09AorXFgs/ogPwrzPneT8RtyYQCalzkT
jcu4QdQM9hESJ0zK21nnE84vk5y/TlnsJ7PWMJhQzoADjbsNzSG5JKVYuN3HSoJ8
rHENc8gt+q0wFkneCRee61sMiKOgHq0LaCtsoIJgaIOG5gVIEnEn7lpCWBHjx3/0
biArLbYfYGPc61vGzSlrSqjJRKfWtYdUfrdFKSHKUuJZfg7QE1HY7KIcBaCCzlyq
d0b3ojDupymu7ncbG6vlvun8YlLUpFLXskKOvDeRtcY+sNfLZ3cj+w8anS3qC6c2
H/yTljRYYoZ5LhJenWzig+wMi5MyarkCWMNPM1In7o2I0k9SO+Fz/Nk3fX4FfoYj
9IPu0Z0whXk9upKzQmzF7UKGSE9vFSooSTJbWkjtV/g2BEmZaqWFRT1kb5YBurcW
EHaJGQWbWgi1yHhDzIAYqmVKH9NNPjnglvlsJlRtqe10zg37uacQAeAySKGzu3wY
xH7CGHjpPHsmBdbD3Hj+exk4DAPcT0SZ3+8tikSYDcJlys0VMZScAIsoF5UNDcBB
AsO0Bayu61Q=
=gVDV
-----END PGP SIGNATURE-----
|