Operating System:

[Win]

Published:

10 January 2012

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0038
            Invensys Wonderware InBatch ActiveX Vulnerabilities
                              10 January 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Invensys Wonderware InBatch
Publisher:         US-CERT
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-4870  

Original Bulletin: 
   http://www.us-cert.gov/control_systems/pdf/ICSA-11-332-01A.pdf

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS-CERT Advisory ICSA-11-332-01A

ICS-CERT ADVISORY

ICSA-11-332-01A INVENSYS WONDERWARE INBATCH ACTIVEX VULNERABILITIES

UPDATE A

January 04, 2012

OVERVIEW

ICS-CERT originally released advisory "ICSA-11-332-01P - Invensys Wonderware
InBatch ActiveX Vulnerabilities" in the US-CERT secure portal on November 28,
2011. This web page release was delayed to allow users time to download and
install the update.

Researcher Kuang-Chun Hung of the Security Research and Service
Institute-Information and Communication Security Technology Center (ICST) has
identified three vulnerabilities in Invensys Wonderware InBatch. These
vulnerabilities exist in the GUIControls, BatchObjSrv, and BatchSecCtrl
ActiveX controls.

Successful exploitation of these vulnerabilities could allow an attacker to
execute arbitrary code or cause a denial of service (DoS) on systems with
affected versions of Wonderware InBatch Runtime Client components.

ICS-CERT has coordinated the report with the ICST and Invensys. Invensys has
issued software updates that resolve these vulnerabilities. The ICST has
confirmed the software updates fully resolve the reported vulnerabilities.

AFFECTED PRODUCTS

The following Invensys Wonderware InBatch versions are affected:
 8.1 SP1, 9.0 SP2, and 9.5.InBatch Server and Runtime Clients
 9.0 and 9.0 SP1.

The affected components exist in a variety of Wonderware products including
InTouch and Information Server browser clients that have downloaded converted
windows that contain these controls.

According to Invensys, I/A Series Batch 8.1 SP1 and Wonderware InBatch 9.5 SP1
and higher are not affected by these vulnerabilities.

IMPACT

If successfully exploited, these vulnerabilities could allow an attacker to
execute arbitrary code on systems running affected versions of the product.

Impact to individual organizations depends on many factors that are unique to
each organization. ICS-CERT recommends that organizations evaluate the impact
of these vulnerabilities based on their operational environment, architecture,
and product implementation.

BACKGROUND

Invensys Wonderware InBatch is used in many industries worldwide including
manufacturing, energy, food and beverage, chemical, and water and wastewater.
The InBatch Runtime Client provides an interface to the batch management
system to allow operator interaction during the batch execution.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

Affected versions of the InBatch Runtime Client components contain three
buffer overflow vulnerabilities. [a][b] 

These vulnerabilities could be exploited by using long string values for the
properties/methods of the referenced controls. This could result in either a
DoS or remote code execution running with privileges of the logged-in user.

- --------- Begin Update A Part 1 of 1 -------- 

CVE-2011-4870 [c] has been assigned to this vulnerability. Invensys has
assessed the vulnerabilities using the CVSSdhere Version 2.0 calculator and
gives the Overall CVSS = 6.0. Click to review the assessment.

- --------- End Update A Part 1 of 1 ----------

VULNERABILITY DETAILS

EXPLOITABILITY

This vulnerability is remotely exploitable. This exploit may require social
engineering.

EXISTENCE OF EXPLOIT
No publicly known exploits specifically target these vulnerabilities.

DIFFICULTY

An attacker with a low skill level can create the DoS; a more skilled attacker
could exploit the vulnerability to execute arbitrary code.

MITIGATION

Invensys has developed software updates to address the reported
vulnerabilities. Invensys recommends that customers who are running vulnerable
versions of Wonderware InBatch update their systems to either InBatch 9.0 SP2
or 9.5 on all nodes that have the InBatch client runtime and the InBatch Server
installed. Installation does not require a reboot.

Customers can download updates from the Software Download section of the
Invensys Customer First Support website:

https://wdn.wonderware.com/sites/WDN/Pages/Downloads/Software.aspx.

Follow the instructions in the ReadMe section for the product and component to
install the software update.

In addition to applying the software updates, Invensys has made additional
recommendations to customers running vulnerable versions of the Invensys
Wonderware InBatch product:
	
	* Set the security level settings for the Internet browser to
	Medium-High to minimize the risk of a vulnerability exploit.
	
	* Reference the Invensys Securing Industrial Control Systems Guide for
	additional information on securing industrial control systems operating
	in a Microsoft Windows environment.

To access information related to Invensys security updates, customers can logon
to the Cyber Security Updates website and the GCS Foxboro Wonderware Security
Releases webpage:
https://wdn.wonderware.com/sites/WDN/Pages/Security Central/default.aspx
http://support.ips.invensys.com/content/WDN/HTM/ww_security.asp.

ICS-CERT encourages asset owners to take additional defensive measures to
protect against this and other cybersecurity risks.

	* Minimize network exposure for all control system devices. Critical
	devices should not directly face the Internet.

	* Locate control system networks and remote devices behind firewalls,
	and isolate them from the business network.

	* When remote access is required, use secure methods, such as Virtual
	Private Networks (VPNs), recognizing that VPN is only as secure as the
	connected devices.

The Control Systems Security Program (CSSP) also provides a section for control
system security recommended practices on the CSSP web page. Several recommended
practices are available for reading and download, including Improving
Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
[e]

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to ICS-CERT for
tracking and correlation against other incidents. ICS-CERT reminds
organizations to perform proper impact analysis and risk assessment prior to
taking defensive measures.

In addition, ICS-CERT recommends that users take the following measures to
protect themselves from social engineering attacks:

	1. Do not click web links or open unsolicited attachments in e-mail
	messages
	
	2. Refer to Recognizing and Avoiding Email Scams [f]
	
	3. Refer to Avoiding Social Engineering and Phishing Attacks for more
	information on avoiding e-mail scams [g] for more information on
	social engineering attacks.

ICS-CERT CONTACT

For any questions related to this report, please contact ICS-CERT at:

E-mail: ics-cert@dhs.gov
Toll Free: 1-877-776-7585
For CSSP Information and Incident Reporting: www.ics-cert.org

DOCUMENT FAQ

What is an ICS-CERT Advisory? An ICS-CERT Advisory is intended to provide
awareness or solicit feedback from critical infrastructure owners and operators
concerning ongoing cyber events or activity with the potential to impact
critical infrastructure computing networks.

When is vulnerability attribution provided to researchers? Attribution for
vulnerability discovery is always provided to the vulnerability reporter
unless the reporter notifies ICS-CERT that they wish to remain anonymous.
ICS-CERT encourages researchers to coordinate vulnerability details before
public release. The public release of vulnerability details prior to the
development of proper mitigations may put industrial control systems and the
public at avoidable risk.

REFERENCES

a. http://cwe.mitre.org/data/definitions/121.html,
  website accessed January 03, 2012.
b. http://cwe.mitre.org/data/definitions/122.html,
  website accessed January 03, 2012.
c. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4870, NIST uses
  this advisory to create the CVE website report. This website will be active
  sometime after publication of this advisory.
d. http://nvd.nist.gov/cvss.cfm, website last accessed January 03, 2012.
e. CSSP Recommended Practices,
  http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html,
  website last accessed January 03, 2012.
f. Recognizing and Avoiding Email Scams,
  http://www.us-cert.gov/reading_room/emailscams_0905.pdf,
  website last accessed January 03, 2012.
g. National Cyber Alert System Cyber Security Tip ST04-014,
  http://www.us-cert.gov/cas/tips/ST04-014.html,
  website last accessed January 03, 2012.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTwu+qO4yVqjM2NGpAQJGVQ//axh76Ku5wyaiWTUvDcN6aebRecGEa6PR
YKyvEbFRl9K1/mK40vQnSYenYpL5LjjiN0ZfP0hjCPDRR9I86Ny2Bl5q+8i/nYv3
DCFFMGRDDIiqXFw6wQdq5fRlRd68e/qjq+TDQd+cKiuBewvZMv/gTgRsKd7gQnV9
pN9oOeUUR0efqANDZxp333YoBxLuPPA35NfLZO3PeUpdPjJOl7a87Na2etxMpxsS
Fw/xySeYxmOl31ONZUsuk1P0fCYJPWkyJvJgW0Ky5KQkG6r+1nj0JPNP8Sk+VpOV
jwONcMMJRfaQVRq/KmaDoBs8ULy1eO+XGFZlaQLvYe5OIO+MAqHopx0MlIBqjops
z2hN77Rc5TmT4AzFzegeZAyB+63e03YRCC+abuH2xY0mCqIJvFVdLjvk1D/TkJ1q
TvNrVjGfMFVKtyiDWkAETGxC/eURqAhyYjHk+0MzwEodqRbbB5sPWrq9FwLzq8ar
DNBFGVy9BtiWxjqkM/1DleOsNIY0bQ6iEiyI8ZRKEnTBcExWd5ImUImD1sTLNva4
Yjo0iwfxasLvNIWsqsEODE1E42N4TTHKdfnj1+VIDt47q0zBxlH2ZkUaLdwFxhbl
dNsNoe0VmQfl3/TLTdiMICOBJurd042kAXd9u9ZeIWGp+aKdAfgILIeMb4jcHzuB
yXJw8DSeFhc=
=A/v9
-----END PGP SIGNATURE-----