ICS-CERT: Robot Communication Runtime Buffer Overflow

Monday, March 05, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

ICS-CERT received a report from ABB and the Zero Day Initiative (ZDI) concerning a buffer overflow vulnerability in the Robot Communication Runtime software used to communicate with IRC5, IRC5C, and IRCP robot controllers.

This vulnerability was reported to ZDI by independent security researcher Luigi Auriemma. ABB has developed a patch to address this issue.

If exploited, this vulnerability could allow an attacker to cause a denial of service to the robot scanning and discovery service on the computer and potentially execute remote code with administrator privileges.

The following ABB products and versions are affected:

• ABB Interlink Module: Versions 4.6 through 4.9
• IRC5 OPC Server: Versions up to and including 5.14.01
• PC SDK: Versions up to and including 5.14.01
• PickMaster 3: Versions up to and including 3.3
• PickMaster 5: Versions up to and including 5.13
• Robot Communications Runtime: Versions up to and including 5.14.01
• RobotStudio: Versions supporting IRC5 up to and including 5.14.01
• RobView 5: Works together with other products listed here.
• WebWare SDK: Versions 4.6 through 4.9
• WebWare Server: Versions 4.6 through 4.91

IMPACT

An attacker may be able to use this vulnerability to cause a denial of service for the robot scanning and discovery service and potentially execute code remotely on the Windows PC. Depending on the installation, the remote code execution could run with administrator privilege.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

BACKGROUND

According to ABB, RobotStudio and PickMaster 5 are used in installation, programming, and commissioning of ABB industrial robots. PickMaster 3, IRC5 OPC Server, and WebWare SDK are used for continuous operations and custom human-machine interfaces for Windows PCs connected to the robot controller over a factory network.

VULNERABILITY OVERVIEW

According to ZDI, the vulnerability exists within RobNetScanHost.exe and its parsing of network packets accepted on Port 5512/TCP. By sending a specially crafted packet, an attacker can cause the RobNetScanHost service to terminate, resulting in a denial of service that prevents robot controllers from being discovered on the network. An attacker may be able to use the buffer overflow to download and execute code on the affected PC.

BUFFER OVERFLOW

The vulnerability originates from a buffer overflow in the RobNetScanHost service component when processing incoming announcements of robot controller availability on the network. CVE-2012-0245 has been assigned to this vulnerability. A CVSS V2 base score of 10 has also been assigned.

EXPLOITABILITY: This vulnerability is remotely exploitable.

EXISTENCE OF EXPLOIT:  No known exploits specifically target this vulnerability.

DIFFICULTY: An attacker with a low skill level would be able to exploit the buffer overflow while more advanced knowledge would be required to execute arbitrary code.

MITIGATION:  ABB has issued a customer notification as well as a patch to correct this vulnerability which can be found here:

The full ICS_CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICSA-12-059-01.pdf

Possibly Related Articles:
4835
SCADA
Industrial Control Systems
Denial of Service SCADA Vulnerabilities Buffer Overflow Malicious Code Privilege Escalation Advisory ICS ICS-CERT Industrial Control Systems
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.