-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0030
       A number of vulnerabilities have been identified in Invensys
                  Wonderware Intelligence Tableau Server
                             26 February 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Invensys Wonderware Intelligence Tableau Server
Operating System:     Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
                      Unauthorised Access             -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-0156 CVE-2013-0155 
Member content until: Thursday, March 28 2013
Reference:            ESB-2013.0084
                      ESB-2013.0069
                      ESB-2013.0059

OVERVIEW

        A number of vulnerabilities have been identified in Invensys Wonderware
        Intelligence Tableau Server up to version 1.5 SP1. [1]


IMPACT

        ICS-CERT has provided the following details regarding these 
        vulnerabilities:
        
        "PERMISSIONS, PRIVLEGES, AND ACCESS CONTROLS
        
        Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x 
        before 3.2.11 does not properly consider differences in parameter 
        handling between the Active Record component and the JSON 
        implementation. This difference in parameter handling allows remote
        attackers to bypass intended database-query restrictions and perform
        NULL checks or trigger missing WHERE clauses via a crafted request,
        as demonstrated by certain [nil] values.
        
        CVE-2013-0155 has been assigned to this vulnerability. A CVSS v2 
        base score of 6.4 has been assigned; the CVSS vector string is 
        (AV:N/AC:L/Au:N/C:P/I:P/A:N)." [1]
        
        "INPUT VALIDATION
        
        Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 
        3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of
        string values. By leveraging Action Pack support for (1) YAML type 
        conversion or (2) Symbol type conversion, an attacker can conduct 
        object-injection attacks and execute arbitrary code or cause a 
        denial of service involving nested XML entity references.
        
        CVE-2013-0156 has been assigned to this vulnerability. A CVSS v2 
        base score of 7.5 has been assigned; the CVSS vector string is 
        (AV:N/AC:L/Au:N/C:P/I:P/A:P)." [1]
        
        ICS-CERT has stated that while there are no known exploits for these
        vulnerabilities, "... an attacker with a low skill would be able to 
        exploit these vulnerabilities." [1]


MITIGATION

        ICS-CERT recommends that administrators apply the available
        security update. ICS-CERT has also stated that "Customers currently 
        using a version older than 1.5 SP1 are required to obtain a new 
        license." [1]


REFERENCES

        [1] ICSA-13-036-01A - WONDERWARE INTELLIGENCE TABLEAU SERVER RUBY ON
            RAILS IMPROPER INPUT VALIDATION
            http://ics-cert.us-cert.gov/pdf/ICSA-13-036-01A.pdf

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUSwqnO4yVqjM2NGpAQI69BAAmEer2tDRUJMUVCWlguOwlvmj6nNZPDsp
DV1Xb6NOwg2ZpGmREXS15go/er7g1QcV8eAxwlFbh0QzbUHuPcJe5eKFkhBIYQpo
CLpwVuxCfwzDAZ6o/UJQVfwn43FkC88lSFAxBrYRJIOljDLvLJpUucyXlSXGsapK
Ar3mfBsgMjcPNK/TXa8/krXS6Eq1NpL41I9OTmQtjTRyc+qfjdSehkk2N3lh8yVh
6lgHmZA496D+YbhK+lBbUxpRTkS044W/K/4H7yNHJlrY8vhTOUErXkfkcjmEJkAh
i0cJC9Ym07HKFrIT+Gv4FOHiaEHQOu6TvK3Cw3/hZAPMhxfPJbLzWINH5Y1XLPwl
FtzDPxPnCIPQjdp7+cGkt0IvlQpBzVCuR8VL3d3ulSBrUliPFIHLdeVKmpGVrLxP
TjgXGdPo1tt8x/pJVn/HKk61E69lGd+UJiqF9AhDbAltBfXb+afHwjsMWhaiSSJj
kbi8C2SsTJ1h4LltLYOaDBu59vV4Cwh64G+Jf9nvqdoQAMuKeWxv25MVagNFnBtj
fovWvP7Ls+yYV+JF2p3AGp5PlqIRkFLCXrD2shFFxguGPXJEkLGSLYzEykM2WRL/
VxHyyVFDqRKBlgCzzI4jZKcDZpIb4warvbZIVfwe2/GfbPb386QuiYCfokfoZW00
Vq72hR0lYXA=
=lytC
-----END PGP SIGNATURE-----