Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0430 ICSA-13-080-01 INVENSYS WONDERWARE WIN-XML EXPORTER IMPROPER INPUT VALIDATION VULNERABILITY 25 March 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Invensys Wonderware Publisher: US-CERT Operating System: Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-4710 Original Bulletin: http://ics-cert.us-cert.gov/pdf/ICSA-13-080-01.pdf - --------------------------BEGIN INCLUDED TEXT-------------------- ICS-CERT ADVISORY ICSA-13-080-01 INVENSYS WONDERWARE WIN-XML EXPORTER IMPROPER INPUT VALIDATION VULNERABILITY March 21, 2013 This advisory was originally posted to the US-CERT secure Portal library on March 08, 2013, and is now being released to the ICS-CERT Web page. This advisory provides mitigation details for a vulnerability that impacts the Invensys Wonderware Win-XML Exporter. Independent researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team have discovered an improper input validation vulnerability in the Invensys Wonderware Win-XML Exporter. Invensys has released a patch that mitigates the vulnerability. The Positive Technologies Research Team has validated that the patch fixes the vulnerability. Exploitation of this vulnerability could impact systems deployed in the critical manufacturing, energy, food and beverage, chemical, and water and wastewater sectors. AFFECTED PRODUCTS The following Invensys Wonderware products are affected: * Win-XML Exporter Version 1522, 148, 0, 0, and possibly earlier versions. IMPACT Successful exploitation of this vulnerability could allow an attacker to affect the confidentiality and availability of the Wonderware Win-XML Exporter. This product is provided as is for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/ Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation. BACKGROUND Invensys is a global technology company that works with industrial, commercial, rail operators, and appliance operators, while operating in over 180 countries. Invensys develops software, systems, and equipment that enable users to monitor, automate, and control their processes. The Invensysa Wonderware Win-XML Exporter is used in many industries worldwide, including critical manufacturing, energy, food and beverage, chemical, and water and wastewater. The Wonderware Win-XML Exporter converts interface windows from Intouch HMI projects and displays them in Internet Explorer with the help of Wonderware Information Server. VULNERABILITY CHARACTERIZATION VULNERABILITY OVERVIEW IMPROPER INPUT VALIDATION [b] Wonderware Win-XML Exporter allows access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause Wonderware Win-XML Exporter to send the contents of local or remote resources to the attackers server or cause a denial of service of the system. CVE-2012-4710 [c] has been assigned to this vulnerability. A CVSS v2 base score of 6.3 has been assigned; the CVSS vector string is (AV:L/AC:M/Au:N/C:C/I:N/A:C). [d] VULNERABILITY DETAILS EXPLOITABILITY This vulnerability is not exploitable remotely and cannot be exploited without user interaction. The exploit is only triggered when a local user runs the vulnerable application and loads the malformed XML files. EXISTENCE OF EXPLOIT No known public exploits specifically target this vulnerability. DIFFICULTY An attacker with a medium skill would be able to exploit this vulnerability. MITIGATION Invensys has developed an update to the Win-XML Exporter that mitigates this vulnerability. The Positive Technologies Research Team has tested the update and validated that it fixes the vulnerability. Instructions and a link to the update are found on the Invensys download page.e According to Invensys, any machine running one or more of the products listed above is affected and should be patched. No other components of the Wonderware installed products are affected. Users should install the update using instructions provided in the ReadMe file for the product and component being installed. Invensys recommends that users: * Read the installation instructions provided with the patch. * Shut down any of the affected software products. * Install the update. * Restart the software. ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks. * Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. * Locate control system networks and remote devices behind firewalls, and isolate them from the business network. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices. ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. [f] ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures. Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B - Targeted Cyber Intrusion Detection and Mitigation Strategies,[g] that is available for download from the ICS-CERT Web page (www.ics-cert.org). Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT CONTACT For any questions related to this report, please contact ICS-CERT at: Email: ics-cert@hq.dhs.gov Toll Free: 1-877-776-7585 For industrial control systems security information and incident reporting: www.ics-cert.org ICS-CERT continuously strives to improve its products and services. You can help by answering a short series of questions about this product at the following URL: https://forms.us-cert.gov/ncsd-feedback/. a. http://www.invensys.com/, Web site last accessed March 21, 2013. b. CWE-20 Improper Input Validation, http://cwe.mitre.org/data/definitions/20.html, Web site last accessed March 21, 2013. c. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4710, NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. d. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:L/AC:M/Au:N/C:C/I:N/A:C), Web site last visited March 21, 2013. e. Invensys software download page, https://wdn.wonderware.com/sites/WDN/Pages/Downloads/Software.aspx, Web site last accessed March 21, 2013. f. CSSP Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html, Web site last accessed March 21, 2013. g. Targeted Cyber Intrusion Detection and Mitigation Strategies, http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01B.pdf, Web site last accessed March 21, 2013. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUU/a4e4yVqjM2NGpAQLjDhAAmf5VgVdll4V/tsCy28IdhyzFqEa4h2dz mLWIfBwVINkDF/vtCHDlbHqK1Zd//acE32hKYjBLZsOPM0mIB8OOzQPIqRd5y/Mi jX33C3p1sVXmPxkTg6ewVOdvtJNbJ0BeYjIFmIwHbI3tI4cR8G9DAeH93fsuL9Qe MS/vTAetLJb2GMDsu6EDqvM8Wia8jMERnlNW2KPIzpb+z+WisoyQF0gGoXkR/sLQ dLCuUcvesFrUHv9KdTdZ3NVThcPX9TV3puRgeQatlyCVEpUrJUivw37Io0nKnDeA U44AnRcNzsOMRtzjuLmAWoxnJ6MrMqzwxh72FQW9qSvjE5YpVrUsR7OhrJA09f8r 7rUek7EeEEYDCcZA8+U46BA3TOg9aRZ+YeOjjs+mq9AO0eDCaRAD0khiNx+Wk3Dp dkwzFsslOjLYvPW62B0V35P+/uGfqJ8VRtEErkBkql7O9Xs+zeShEu1yjLrZBR+Q TMrxDv8y2DYtZhQ6/RRUOMFd+2ZZH7WiobhSjBoEr5L3svzhzNRbanf7rKddx4vi m/brVAMKGQFDW59aAW3/jKUGVqSb2yO7D1WP9Mpa5ETd8IzQQJUDRYB/cp1WNRV7 pIRy2OF9KceibDFj0R1LNYApicB5W+ni8CDVgmaFK9yhez7j/fmdCQncGvL5/I50 sooIJtUcC2o= =xh8J -----END PGP SIGNATURE-----