CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
82.5%
Invensys Wonderware InTouch 8.0 creates a NetDDE share that could allow an attacker to run arbitrary programs.
Invensys Wonderware InTouch HMI Software is used in Supervisory Control And Data Acquisition (SCADA) systems.
Dynamic Data Exchange (DDE) was designed to allow Microsoft Windows applications to share data. NetDDE is an extension to DDE that was developed by Wonderware. NetDDE allows communications with local DDE applications and with remote NetDDE agents using NetBIOS. NetDDE is not supported in Windows Vista, but is included in Windows NT, 2000, XP, and Server 2003.
InTouch 8.0 creates a universal NetDDE share. The permissions applied to the share may allow a remote attacker to execute arbitrary programs. Windows access permissions apply to NetDDE connections, however if an attacker can obtain valid credentials, or possibly if anonymous connections are enabled, the attacker could connect to the NetDDE share and execute programs.
Other vendors may also create insecure NetDDE shares.
A remote attacker may be able to execute any application that accepts NetDDE connections. This could allow an attacker to gain control of the system running NetDDE
Upgrade
This issue has been addressed in Wonderware InTouch version 9 and later. Wonderware administrators with active support contracts who do not want to upgrade can get an updated version of Wonderware 8.0. Wonderware Tech Alert 98 contains information about obtaining fixed software. Wonderware administrators can also contact Wonderware for more information about obtaining updates.
Please see the Systems Affected section below for information about other vendors.
Disable NetDDE
If NetDDE is not required, disable the Network DDE and Network DDE DSDM services.
Limit NetDDE share privileges
If NetDDE is required, configure shares to have the least necessary privileges. From Digital Bond: βNetDDE allows a system to limit access to specific applications, documents, and even portions of the documents. Access and permissions can be set by user or group as well. The key is to avoid the wide open share like seen in the |.β Also, unless absolutely required, do not configure anonymous users to be members of the Everyone group (see KB 278259 for more information).
Restrict NetDDE access
Per Microsoft Security Bulletin MS04-031 (which describes an unrelated NetDDE vulnerability in Windows), blocking the below ports at perimeter firewalls can prevent remote NetDDE connections (as well as NetBIOS and SMB connections).
* Ports `135/udp`, `137/udp`, `138/udp`, `445/udp`, `135/tcp`, `139/tcp`, `445/tcp`, and `593/tcp`
* All unsolicited inbound traffic on ports greater than 1024
* Any other specifically configured RPC port
138633
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: October 02, 2007 Updated: November 27, 2007
Affected
Wonderware, a business unit of Invensys, is committed to collaborate with our customers and industry standards committees to provide secure applications, security best practices, deployment guidelines, tools and prescriptive guidance for maintaining a secure environment. This issue was addressed in InTouch 9.0 and later versions. In addition to Restricting access per Microsoft Security Bulletin MS04-31, alternative solutions and additional information can be found in Wonderwareβs Tech Alert 98 posted on our website. (Please note that access to the Tech Alert will require that you register on our web site.) Wonderware users interested in upgrading should contact Wonderware or their local distributor.
The vendor has not provided us with any further information regarding this vulnerability.
Wonderware users should see Wonderware Tech Alert 98 for more information (registration required) or contact Wonderware for more information
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23138633 Feedback>).
Updated: February 25, 2008
Affected
NetDDE shared folder is appeared when InTouch 8.0 or older version is installed. Though this issue is not affected Takebishiβs products directly, Takebishi is going to support their customers if any caused by this issue.
The vendor has not provided us with any further information regarding this vulnerability.
Please see <http://www.faweb.net/us/ioserver/faq.html#qa105>.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23138633 Feedback>).
Group | Score | Vector |
---|---|---|
Base | 0 | AV:β/AC:β/Au:β/C:β/I:β/A:β |
Temporal | 0 | E:ND/RL:ND/RC:ND |
Environmental | 0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
This vulnerability was reported by Neutralbit with assistance from Digital Bond.
This document was written by Ryan Giobbi.
CVE IDs: | CVE-2007-6033 |
---|---|
Severity Metric: | 0.57 Date Public: |
blogs.msdn.com/nickkramer/archive/2006/04/18/577962.aspx
lists.immunitysec.com/pipermail/dailydave/2004-October/001014.html
msdn2.microsoft.com/en-us/library/ms648711.aspx
pacwest.wonderware.com/web/News/NewsDetails.aspx?NewsThreadID=2&NewsID=201804
secunia.com/advisories/27751/
support.microsoft.com/default.aspx?scid=kb;en-us;125703
support.microsoft.com/kb/243330
support.microsoft.com/kb/278259
technet2.microsoft.com/windowsserver/en/library/2c82586e-bd58-42b7-9976-228a23721e351033.mspx
us.wonderware.com/aboutus/whoweare/contactus.htm
www.digitalbond.com/index.php/2007/11/19/wonderware-intouch-80-netdde-vulnerability-s4-preview/
www.digitalbond.com/index.php/2008/01/29/vulnerable-netdde-shares-lead-to-complete-system-compromise/
www.digitalbond.com/wiki/index.php/Invensys_Wonderware_InTouch_creates_insecure_NetDDE_share
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
82.5%