CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
90.5%
This advisory is a follow-up to the Alert titled “ICS-ALERT-11-256-01 – Progea Movicon PowerHMI Vulnerabilities” that was published September 13, 2011, on the ICS-CERT web page.
Two buffer overflow and one memory corruption vulnerability were disclosed affecting the Progea Movicon’s PowerHMI product.
ICS-CERT has coordinated these vulnerabilities with Progea and they have produced a hotfix that mitigates these vulnerabilities.
The following products are affected:
Each of these vulnerabilities can be remotely exploitable to cause denial of service, system crash, or execution of arbitrary code.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their environment, architecture, and product implementation.
Progea Srl is an Italian company that offers SCADA products, which are deployed primarily in Europe, India, and the United States. They are used in energy, water, critical manufacturing, and several other industry sectors.
Movicon 11 is an XML-based HMI development system that includes drivers for programmable logic controllers (PLCs). Movicon provides OPC-based connectivity for data transfer, including OPC DA and OPC XML DA services.
A heap-based buffer overflow allows remote attackers to use an HTTP request on Port 808/TCP to cause a denial of service and possibly execute arbitrary code via a negative content-length field.
CVE-2011-3491 has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has also been assigned.
A heap-based buffer overflow allows remote attackers to use an HTTP request on Port 808/TCP to cause a denial of service and possibly execute arbitrary code via a long request.
CVE-2011-3498 has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has also been assigned.
This vulnerability allows remote attackers using a Port 808/TCP HTTP request and Port 12233/TCP EIDP protocol to cause a denial of service and possibly execute arbitrary code via an EIDP packet with a large size field, which writes a zero byte to an arbitrary memory location.
CVE-2011-3499 has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has also been assigned.
These vulnerabilities are remotely exploitable.
Public exploit(s) are known to target these vulnerabilities.
An attacker with a low skill level can create a denial of service attack but a skilled attacker would be able to execute arbitrary code.
Progea has developed and released a hotfix to address this vulnerability. Contact the Progea support group for instructions to aid in the installation of the hotfix.
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
The Control Systems Security Program (CSSP) also provides a section for control system security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
support.progea.com/download/HotFix_Movicon11.2.1085.4.zip
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3491
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3498
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3499
www.progea.com/
www.progea.com/supporto-progea/supporto/progea-support.html
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-11-294-01
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Progea%20Movicon%20Power%20HMI%20Vulnerabilities+https://www.cisa.gov/news-events/ics-advisories/icsa-11-294-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-11-294-01&title=Progea%20Movicon%20Power%20HMI%20Vulnerabilities
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-11-294-01
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Progea%20Movicon%20Power%20HMI%20Vulnerabilities&body=www.cisa.gov/news-events/ics-advisories/icsa-11-294-01