ICS-CERT Advisory ICSA-11-195-01P was originally released to the US-CERT Portal on July 14, 2011. This web page release was delayed to allow users sufficient time to download and install the update.
Independent security researchers Billy Rios and Terry McCorkle have identified a stack-based buffer overflow vulnerability that exists in two different ActiveX controls used by the Wonderware Information Server product. Successful exploitation of this vulnerability could allow remote code execution on a client running vulnerable versions of the software.
ICS-CERT has coordinated with the researchers and Invensys. Invensys has issued a patch to address this vulnerability. The researchers have confirmed this patch fully resolves this reported vulnerability in both vulnerable ActiveX controls.
The following Wonderware Information Server client versions are affected:
If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on vulnerable clients at the same privilege level as the exploited process.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Wonderware is a brand offering of the Operations Management Division of Invensys. Invensys Operations Management is a provider of automation and information technologies and systems.
The Wonderware Information Server is used in several industries including oil and gas, chemical, power, pharmaceutical, and water and wastewater treatment.
The Wonderware Information Server contains a stack-based buffer overflow.1 An attacker would need to create a specially crafted webpage or file for the client to open. Successfully exploiting the vulnerability could allow remote code execution in an affected client.
According to Invensys, the overall Common Vulnerability Scoring System (CVSS)2 severity score for this vulnerability is 6.0 (high) but may require social engineering to exploit.
This vulnerability is remotely exploitable. User interaction is likely required to exploit this vulnerability as users must open a malicious file or website on a client with the vulnerable ActiveX control installed in order to allow the execution of code to occur.
No known exploits are specifically targeting this vulnerability.
A moderate set of skills are required to create a working exploit for this vulnerability. In addition, user interaction is required to successfully execute the exploit.
Invensys has developed a patch that fully resolves this vulnerability. This patch has been confirmed by the researchers. Customers of Invensys running vulnerable versions of Information Server can update their systems to the most recent patch release by following the steps provided by Invensys. In addition to applying this patch, Invensys has made additional recommendations to customers running vulnerable versions of the Information Server product.
ICS-CERT also encourages asset owners to take the following defensive precautions:
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the CSSP web page. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
For any questions related to this report, please contact the CISA at:
Toll Free: 1-888-282-0870
For industrial control systems cybersecurity information: https://www.us-cert.gov/ics
or incident reporting: https://www.us-cert.gov/report
CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.
This product is provided subject to this Notification and this Privacy & Use policy.
Was this document helpful? Yes | Somewhat | No