Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0038 Invensys Wonderware InBatch ActiveX Vulnerabilities 10 January 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Invensys Wonderware InBatch Publisher: US-CERT Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2011-4870 Original Bulletin: http://www.us-cert.gov/control_systems/pdf/ICSA-11-332-01A.pdf - --------------------------BEGIN INCLUDED TEXT-------------------- ICS-CERT Advisory ICSA-11-332-01A ICS-CERT ADVISORY ICSA-11-332-01A INVENSYS WONDERWARE INBATCH ACTIVEX VULNERABILITIES UPDATE A January 04, 2012 OVERVIEW ICS-CERT originally released advisory "ICSA-11-332-01P - Invensys Wonderware InBatch ActiveX Vulnerabilities" in the US-CERT secure portal on November 28, 2011. This web page release was delayed to allow users time to download and install the update. Researcher Kuang-Chun Hung of the Security Research and Service Institute-Information and Communication Security Technology Center (ICST) has identified three vulnerabilities in Invensys Wonderware InBatch. These vulnerabilities exist in the GUIControls, BatchObjSrv, and BatchSecCtrl ActiveX controls. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code or cause a denial of service (DoS) on systems with affected versions of Wonderware InBatch Runtime Client components. ICS-CERT has coordinated the report with the ICST and Invensys. Invensys has issued software updates that resolve these vulnerabilities. The ICST has confirmed the software updates fully resolve the reported vulnerabilities. AFFECTED PRODUCTS The following Invensys Wonderware InBatch versions are affected: 8.1 SP1, 9.0 SP2, and 9.5.InBatch Server and Runtime Clients 9.0 and 9.0 SP1. The affected components exist in a variety of Wonderware products including InTouch and Information Server browser clients that have downloaded converted windows that contain these controls. According to Invensys, I/A Series Batch 8.1 SP1 and Wonderware InBatch 9.5 SP1 and higher are not affected by these vulnerabilities. IMPACT If successfully exploited, these vulnerabilities could allow an attacker to execute arbitrary code on systems running affected versions of the product. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. BACKGROUND Invensys Wonderware InBatch is used in many industries worldwide including manufacturing, energy, food and beverage, chemical, and water and wastewater. The InBatch Runtime Client provides an interface to the batch management system to allow operator interaction during the batch execution. VULNERABILITY CHARACTERIZATION VULNERABILITY OVERVIEW Affected versions of the InBatch Runtime Client components contain three buffer overflow vulnerabilities. [a][b] These vulnerabilities could be exploited by using long string values for the properties/methods of the referenced controls. This could result in either a DoS or remote code execution running with privileges of the logged-in user. - --------- Begin Update A Part 1 of 1 -------- CVE-2011-4870 [c] has been assigned to this vulnerability. Invensys has assessed the vulnerabilities using the CVSSdhere Version 2.0 calculator and gives the Overall CVSS = 6.0. Click to review the assessment. - --------- End Update A Part 1 of 1 ---------- VULNERABILITY DETAILS EXPLOITABILITY This vulnerability is remotely exploitable. This exploit may require social engineering. EXISTENCE OF EXPLOIT No publicly known exploits specifically target these vulnerabilities. DIFFICULTY An attacker with a low skill level can create the DoS; a more skilled attacker could exploit the vulnerability to execute arbitrary code. MITIGATION Invensys has developed software updates to address the reported vulnerabilities. Invensys recommends that customers who are running vulnerable versions of Wonderware InBatch update their systems to either InBatch 9.0 SP2 or 9.5 on all nodes that have the InBatch client runtime and the InBatch Server installed. Installation does not require a reboot. Customers can download updates from the Software Download section of the Invensys Customer First Support website: https://wdn.wonderware.com/sites/WDN/Pages/Downloads/Software.aspx. Follow the instructions in the ReadMe section for the product and component to install the software update. In addition to applying the software updates, Invensys has made additional recommendations to customers running vulnerable versions of the Invensys Wonderware InBatch product: * Set the security level settings for the Internet browser to Medium-High to minimize the risk of a vulnerability exploit. * Reference the Invensys Securing Industrial Control Systems Guide for additional information on securing industrial control systems operating in a Microsoft Windows environment. To access information related to Invensys security updates, customers can logon to the Cyber Security Updates website and the GCS Foxboro Wonderware Security Releases webpage: https://wdn.wonderware.com/sites/WDN/Pages/Security Central/default.aspx http://support.ips.invensys.com/content/WDN/HTM/ww_security.asp. ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks. * Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. * Locate control system networks and remote devices behind firewalls, and isolate them from the business network. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices. The Control Systems Security Program (CSSP) also provides a section for control system security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. [e] Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures. In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks: 1. Do not click web links or open unsolicited attachments in e-mail messages 2. Refer to Recognizing and Avoiding Email Scams [f] 3. Refer to Avoiding Social Engineering and Phishing Attacks for more information on avoiding e-mail scams [g] for more information on social engineering attacks. ICS-CERT CONTACT For any questions related to this report, please contact ICS-CERT at: E-mail: ics-cert@dhs.gov Toll Free: 1-877-776-7585 For CSSP Information and Incident Reporting: www.ics-cert.org DOCUMENT FAQ What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide awareness or solicit feedback from critical infrastructure owners and operators concerning ongoing cyber events or activity with the potential to impact critical infrastructure computing networks. When is vulnerability attribution provided to researchers? Attribution for vulnerability discovery is always provided to the vulnerability reporter unless the reporter notifies ICS-CERT that they wish to remain anonymous. ICS-CERT encourages researchers to coordinate vulnerability details before public release. The public release of vulnerability details prior to the development of proper mitigations may put industrial control systems and the public at avoidable risk. REFERENCES a. http://cwe.mitre.org/data/definitions/121.html, website accessed January 03, 2012. b. http://cwe.mitre.org/data/definitions/122.html, website accessed January 03, 2012. c. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4870, NIST uses this advisory to create the CVE website report. This website will be active sometime after publication of this advisory. d. http://nvd.nist.gov/cvss.cfm, website last accessed January 03, 2012. e. CSSP Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html, website last accessed January 03, 2012. f. Recognizing and Avoiding Email Scams, http://www.us-cert.gov/reading_room/emailscams_0905.pdf, website last accessed January 03, 2012. g. National Cyber Alert System Cyber Security Tip ST04-014, http://www.us-cert.gov/cas/tips/ST04-014.html, website last accessed January 03, 2012. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTwu+qO4yVqjM2NGpAQJGVQ//axh76Ku5wyaiWTUvDcN6aebRecGEa6PR YKyvEbFRl9K1/mK40vQnSYenYpL5LjjiN0ZfP0hjCPDRR9I86Ny2Bl5q+8i/nYv3 DCFFMGRDDIiqXFw6wQdq5fRlRd68e/qjq+TDQd+cKiuBewvZMv/gTgRsKd7gQnV9 pN9oOeUUR0efqANDZxp333YoBxLuPPA35NfLZO3PeUpdPjJOl7a87Na2etxMpxsS Fw/xySeYxmOl31ONZUsuk1P0fCYJPWkyJvJgW0Ky5KQkG6r+1nj0JPNP8Sk+VpOV jwONcMMJRfaQVRq/KmaDoBs8ULy1eO+XGFZlaQLvYe5OIO+MAqHopx0MlIBqjops z2hN77Rc5TmT4AzFzegeZAyB+63e03YRCC+abuH2xY0mCqIJvFVdLjvk1D/TkJ1q TvNrVjGfMFVKtyiDWkAETGxC/eURqAhyYjHk+0MzwEodqRbbB5sPWrq9FwLzq8ar DNBFGVy9BtiWxjqkM/1DleOsNIY0bQ6iEiyI8ZRKEnTBcExWd5ImUImD1sTLNva4 Yjo0iwfxasLvNIWsqsEODE1E42N4TTHKdfnj1+VIDt47q0zBxlH2ZkUaLdwFxhbl dNsNoe0VmQfl3/TLTdiMICOBJurd042kAXd9u9ZeIWGp+aKdAfgILIeMb4jcHzuB yXJw8DSeFhc= =A/v9 -----END PGP SIGNATURE-----