CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
92.1%
ICS-CERT originally released Advisory ICSA-12-081-01P on the US-CERT secure portal on March 21, 2012. This web page release was delayed to allow users time to download and install the update.
Independent researcher Celil Unuver from SignalSec Corporation has identified two buffer overflow vulnerabilities in the WWCabFile component of the Wonderware System Platform, which is used by multiple applications that run on the platform. Invensys has produced a patch that resolves these vulnerabilities. Mr. Unuver has tested the patch and verified that it resolves the vulnerabilities.
The following Invensys products and versions are affected:
NOTE: The Wonderware Historian is part of the System Platform but is not affected by this Security Update.
Successfully exploiting these vulnerabilities will cause a buffer overflow that may allow remote code execution.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their
operational environment, architecture, and product implementation.
Wonderware System Platform, along with the Foxboro Control Software, is used for designing, building, deploying, and maintaining standardized applications for manufacturing and infrastructure operations.
The Wonderware Information Server is a component of the System Platform and is used for aggregating and presenting plant production and performance data.
A heap-based overflow can be used to overwrite function pointers that exist in memory with pointers to the attackerβs code. Applications that do not explicitly use function pointers are still vulnerable, as unrelated run-time programs can leave operational function pointers in memory.
The heap-based buffer overflow in WWCabFile ActiveX Component can be exploited by sending a long string of data to the βOpenβ member of the WWCabFile component.
Common Vulnerabilities and Exposures (CVE) Identifier CVE-2012-0257 has been assigned to this vulnerability. According to Invensys, a CVSS V2 base score of 6.0 has also been assigned.
The heap-based buffer overflow can be exploited by sending a long data string to the βAddFileβ member of the WWCabFile component.
CVE Identifier CVE-2012-0258 has been assigned to this vulnerability. According to Invensys, a CVSS V2 base score of 6.0 has also been assigned.
These vulnerabilities require user interaction to exploit, possibly by social engineering.
No known public exploits specifically target these vulnerabilities.
Invensys has rated these vulnerabilities as a medium concern based on exploit difficulty and the potential that social engineering may be required.
Invensys encourages users affected by these vulnerabilities to follow the instructions in their security bulletin.
Installation of the Security Update does not require a reboot. If multiple products are installed on the same node, the customer need only install the Security Update once.
To install the update, Invensys recommends users to follow the instructions found in the ReadMe file for the product and component being installed. In general, Invensys recommends that users:
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
wdnresource.wonderware.com/support/docs/_SecurityBulletins/Security_Bulletin_LFSEC00000071.pdf
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0257
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0258
www.signalsec.com/
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-12-081-01
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Wonderware%20System%20Platform%20Buffer%20Overflows+https://www.cisa.gov/news-events/ics-advisories/icsa-12-081-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-12-081-01&title=Wonderware%20System%20Platform%20Buffer%20Overflows
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-12-081-01
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Wonderware%20System%20Platform%20Buffer%20Overflows&body=www.cisa.gov/news-events/ics-advisories/icsa-12-081-01