ICS-CERT Advisory Warns of Schneider, Emerson Vulnerabilities

2015-01-09T09:52:22
ID THREATPOST:250E6F5316497327C928CFAE7F3972D1
Type threatpost
Reporter Michael Mimoso
Modified 2015-01-09T14:52:22

Description

Industrial HMI software from Schneider Electric has been updated to patch a buffer overflow vulnerability that could be exploited by a remote attacker.

The buffer overflow vulnerability was found in the Wonderware InTouch Access Anywhere Server v10.6 and v11. The server is human machine interface software that provides a visualization of industrial processes. Operators use the interface to manage performance, turn processes on and off, and more.

“The successful exploitation of this vulnerability could cause a buffer overflow that may allow arbitrary code execution,” the Industrial Control System Cyber Emergency Response Team said in an advisory published Thursday.

ICS-CERT said it is not aware of public exploits of this vulnerability. Schneider has made its update available here.

Operators using the Wonderware InTouch Access Anywhere Server are able to access the company’s InTouch applications over the Internet for remote management of industrial processes. The software is used in a number of critical industries worldwide, including chemical, energy, water utilities, and manufacturing.

“An attacker could cause a stack-based buffer overflow by requesting a nonexistent file that may enable the execution of arbitrary code,” ICS-CERT said of a potential exploit.

Exploits Available for Emerson HART DTM Vuln

A second unrelated advisory released yesterday warned of public exploits against an improper input vulnerability in the CodeWrights HART Device Type Manager library used by Emerson in its HART DTM. CodeWrights released a new library that has patched the security issue. ICS-CERT said Emerson has tested the new library and will integrate it into its product.

HART is a communication protocol used to manage field devices in industrial settings.

A lengthy list of affected products is available in the ICS-CERT advisory.

“The vulnerability causes the HART DTM component to crash and also causes the HART service to stop responding,” ICS-CERT said. “No loss of information or loss of control or view by the control system results from an attacker successfully exploiting this vulnerability.”

Emerson said the affected DTM is deployed worldwide in a number of industries. An attacker would require physical access to the network in order to exploit the vulnerability.

“By sending specially crafted response packets directly on the 4-20 mA current loop, the DTM component stops functioning and Field Device Tool (FDT) Frame application becomes unresponsive,” ICS-CERT said. “Crafting a working exploit for this vulnerability would be difficult. Physical access to the 4 mA to 20 mA current loop is required in conjunction with a connected HART device modified to send crafted packets. The exploit also requires specific timing for the spoofed response. This decreases the likelihood of a successful exploit.”

Image courtesy Good Millwork