7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
8.6 High
AI Score
Confidence
High
0.012 Low
EPSS
Percentile
85.5%
ICS-CERT originally released Advisory “ICSA-12-062-01PInvensys Wonderware Information Server Multiple Vulnerabilities” on the US-CERT secure portal on March 02, 2012. This web page release was delayed to allow users time to download and install the update.
Independent security researchers Terry McCorkle and Billy Rios have identified multiple vulnerabilities in the Invensys Wonderware Information Server. Invensys has developed a security update to address these affected products.
Invensys has expressed appreciation to Billy Rios and Terry McCorkle as independent security researchers for the discovery and collaboration with Invensys on resolving these vulnerabilities.
The following Invensys Wonderware Information Server versions are affected:
The following Invensys Wonderware Historian Client version is affected:
Only Wonderware Historian Client versions installed on the same node as the Wonderware Information Server Portal or Client are subject to the vulnerabilities reported in this Advisory.
These vulnerabilities, if exploited, could allow denial of service, information disclosure, remote code execution, or session credential high jacking. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
The Invensys Wonderware Information Server is used in many industries worldwide, including manufacturing, energy, food and beverage, chemical, and water and wastewater.
The Information Server provides industrial information content including process graphics, trends, and reports. The Invensys Wonderware Information Server Web Clients provides access to reports, analysis, or write back capabilities to processes.
This vulnerability enables an attacker to inject client side script into web pages viewed by other users or bypass client side security mechanisms imposed by modern web browsers. This vulnerability, if exploited, could allow arbitrary code execution and may require social engineering to exploit.
CVE-2012-0225 has been assigned to this vulnerability. The Invensys assessment of the compound vulnerabilities using the CVSSd Version 2.0 calculator rates an Overall CVSS Score of 8.1.National Vulnerability Database Calculator for LFSEC00000069, website last accessed March 29, 2012.
This vulnerability can be used by an attacker to perform database operations that were unintended by the web application designer and, in some instances, can lead to total compromise of the database server. This vulnerability, if exploited, could allow arbitrary code execution.
CVE-2012-0226 has been assigned to this vulnerability. The Invensys assessment of the compound vulnerabilities using the CVSSh Version 2.0 calculator rates an Overall CVSS Score of 8.1.National Vulnerability Database Calculator for LFSEC00000069, website last accessed March 29, 2012.
The security access permissions issues with client controls can lead to denial of service.
CVE-2012-0228 has been assigned to this vulnerability. The Invensys assessment of the compound vulnerabilities using the CVSSk Version 2.0 calculator rates an Overall CVSS Score of 8.1.National Vulnerability Database Calculator for LFSEC00000069, website last accessed March 29, 2012.
These vulnerabilities are remotely exploitable.
No known exploits specifically target these vulnerabilities.
An attacker with a low skill level can create the denial of service, whereas it would require a more skilled attacker to execute arbitrary code. This attack may require social engineering to exploit.
Invensys has developed software updates to address the reported vulnerabilities. Customers of Invensys running vulnerable versions of Invensys Wonderware Information Server and Invensys Wonderware Historian Client can update their systems to the most recent software updates released by following the steps provided by Invensys.
Invensys software updates can be downloaded from the Wonderware Development Network (“Software Download” area) and the Infusion Technical Support website: <https://wdn.wonderware.com/sites/WDN/Pages/Downloads/Software.aspx>.
The following steps are provided by Invensys for update information.
Install the Security Update using instructions provided in the ReadMe file for the product and component being installed. In general, the user should proceed as indicated below:
In addition to applying the software updates, Invensys has made additional recommendations to customers running vulnerable versions of the Invensys Wonderware Information Server and Invensys Wonderware Historian Client products. Customers using versions of the products prior to Invensys Wonderware Information Server 5.0 and Invensys Wonderware Historian Client 10 SP3 should apply the security update to all nodes where the Portal and Client components are installed. (All browser clients of the portal are affected and should be patched). Customers using the affected versions of Invensys Wonderware Information Server should set the security level settings in the Internet browser to “Medium – High” to minimize the risks presented by these vulnerabilities.
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0225
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0226
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0228
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Wonderware%20Information%20Server%20Multiple%20Vulnerabilities+https://www.cisa.gov/news-events/ics-advisories/icsa-12-062-01
wdn.wonderware.com/sites/WDN/Pages/Downloads/Software.aspx
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-12-062-01&title=Wonderware%20Information%20Server%20Multiple%20Vulnerabilities
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-12-062-01
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-12-062-01
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Wonderware%20Information%20Server%20Multiple%20Vulnerabilities&body=www.cisa.gov/news-events/ics-advisories/icsa-12-062-01