CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
Confidence
High
EPSS
Percentile
93.3%
This advisory is a follow-up to the alert titled “ICS-ALERT-12-137-01 Pro-face Pro-Server EX Vulnerabilities,” that was published May 16, 2012, on the ICS-CERT Web page.
Independent researcher Luigi Auriemma identified multiple vulnerabilities in the Pro-face Pro-Server EX application and publicly released this information without coordination with ICS-CERT, the vendor, or any other coordinating entity known to ICS-CERT.
The four confirmed vulnerabilities are invalid memory access, integer overflow, unhandled exception, and memory corruptions. Each of these vulnerabilities can be exploited remotely, and public exploits are known to target these vulnerabilities.
ICS-CERT has coordinated these vulnerabilities with the development and manufacturing company of Pro-face branded products, Digital Electronics, which has produced an update that resolves these vulnerabilities.
Digital Electronics reports that the vulnerabilities affect the following products.
Exploitation of the reported vulnerabilities can result in a denial of service (DoS) or arbitrary code execution.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
Pro-face is HMI-related hardware and software product found in a wide range of industries such as oil and gas, food and beverage, and water and wastewater industries. Pro-face products are used throughout the world, the highest number sold in Japan and the Asian Pacific area. According to its Web site, Pro-Server EX is a data management server that collects information generated by a PLC system through an HMI unit and generates reports. In February 2001, Pro-face America, Inc., a subsidiary of Digital Electronics Corporation, purchased Xycom Automation.
A specially crafted packet can cause an integer overflow that leads to a buffer overflow in an arbitrary memory location. Out-of-bounds memory access may result in the corruption of memory or instructions that may lead to a crash. The execution of arbitrary code may be possible. Other attacks leading to lack of availability may also be possible.
CVE-2012-3792NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3792, Web site last visited June 27, 2012. has been assigned to this vulnerability. A CVSS v2 base score of 5.8 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:P/I:N/A:P).
It is possible to exploit an integer overflow to crash the server which could be considered a denial of service.
CVE-2012-3793NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3793, Web site last visited June 27, 2012. has been assigned to this vulnerability. A CVSS v2 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:N/A:P).
It is possible to terminate the server because of an unhandled exception. Exploitation of this vulnerability will cause a denial-of-service condition.
CVE-2012-3794NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3794, Web site last accessed June 27, 2012. has been assigned to this vulnerability. A CVSS v2 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:N/A:P).
An attacker may crash the server by copying a large amount of memory from the target system.
CVE-2012-3795NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3795, Web site last accessed June 27, 2012. and CVE-2012-3796NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3796, Web site last accessed June 27, 2012. have been assigned to these vulnerabilities. A CVSS v2 base score of 5.8 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:P/I:N/A:P).
An attacker is able to write more data to a memory location than is allocated due to a lack of size checks. This will likely result in a system crash.
CVE-2012-3797NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3797, Web site last accessed June 27, 2012. has been assigned to this vulnerability. A CVSS v2 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:P/A:N).
These vulnerabilities can be remotely exploited.
Public exploits are known to target these vulnerabilities.
An attacker with a moderate skill level would be able to exploit these vulnerabilities.
Digital Electronics has released patch modules on its Web site at the following location: http://www.pro-face.com/news/2012/0606.html.
The patch module prevents the Pro-Server EX and WinGP from an attack using inaccurate packets.
Digital Electronics recommends the following in addition to applying the patch:
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:C/I:C/A:C
nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:C/I:C/A:C
nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:C/I:C/A:C
nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:C/I:C/A:C
nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:P
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-12-179-01
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Pro-Face%20Pro-Server%20EX%20Vulnerabilities+https://www.cisa.gov/news-events/ics-advisories/icsa-12-179-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-12-179-01&title=Pro-Face%20Pro-Server%20EX%20Vulnerabilities
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-12-179-01
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Pro-Face%20Pro-Server%20EX%20Vulnerabilities&body=www.cisa.gov/news-events/ics-advisories/icsa-12-179-01