CERTVU:222657RealFlex RealWin HMI service buffer overflows
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.587 Medium
EPSS
Percentile
97.8%
Overview
RealFlex RealWin 1.06 HMI service (912/tcp) contains two stack buffer overflow vulnerabilities.
Description
RealFlex RealWin is a SCADA server package for medium and small applications designed to control and monitor real-time applications. The RealWin application runs an HMI service on port 912/tcp. This service is vulnerable to two stack-based buffer overflows. One vulnerability is caused by the use of sprintf() in the SCPC_INITIALIZE() and SCPC_INITIALIZE_RF() functions. The second vulnerability is caused by the use of strcpy() in the SCPC_TXTEVENT() function.
Further information is available in ICS_CERT Advisory ICSA-10-313-01
Impact
An attacker may be able to cause a denial of service or potentially execute arbitrary code with the privileges of the service account on to the target machine. If the service account has administrative privileges, the attacker could take complete control of a vulnerable system.
Solution
Upgrade to RealWin 2.1.10 (2.1 Build 6.1.10.10).
Vendor Information
222657
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
RealFlex Technologies Ltd. __ Affected
Notified: October 29, 2010 Updated: November 12, 2010
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Upgrade to RealWin 2.1.10 (2.1 Build 6.1.10.10).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.us-cert.gov/control_systems/pdf/ICSA-10-313-01.pdf>
- <http://aluigi.altervista.org/adv/realwin_1-adv.txt>
- <http://www.exploit-db.com/exploits/15337/>
- <http://www.realflex.com/products/realwin/realwin.php>
- <http://cs.realflex.com/cs/index.ssp>
- <https://www.metasploit.com/redmine/projects/framework/repository/revisions/11067/entry/modules/exploits/windows/scada/realwin_10.rb>
Acknowledgements
Luigi Auriemma publicly reported this vulnerability.
This document was written by Michael Orlando.
Other Information
| CVE IDs: | CVE-2010-4142 |
|---|---|
| Severity Metric: | 12.07 Date Public: |
References
aluigi.altervista.org/adv/realwin_1-adv.txt
cs.realflex.com/cs/index.ssp
www.exploit-db.com/exploits/15337/
www.realflex.com/products/realwin/realwin.php
www.us-cert.gov/control_systems/pdf/ICSA-10-313-01.pdf
www.metasploit.com/redmine/projects/framework/repository/revisions/11067/entry/modules/exploits/windows/scada/realwin_10.rb
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.587 Medium
EPSS
Percentile
97.8%