ICS-CERT: Invensys Wonderware Server Multiple Vulnerabilities

Wednesday, April 04, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

ICS-CERT originally released Advisory “ICSA-12-062-01P-Invensys Wonderware Information Server Multiple Vulnerabilities” on the US-CERT secure portal on March 02, 2012. This web page release was delayed to allow users time to download and install the update.

Independent security researchers Terry McCorkle and Billy Rios have identified multiple vulnerabilities in the Invensys Wonderware Information Server. Invensys has developed a security update to address these affected products.

Invensys has expressed appreciation to Billy Rios and Terry McCorkle as independent security researchers for the discovery and collaboration with Invensys on resolving these vulnerabilities.

The following Invensys Wonderware Information Server versions are affected:

• 4.0 SP1 and 4.5-Portal
• 4.0 SP1 and 4.5-Client

The following Invensys Wonderware Historian Client version is affected:

  • Only Wonderware Historian Client versions installed on the same node as the Wonderware Information Server Portal or Client are subject to the vulnerabilities reported in this Advisory.

IMPACT

These vulnerabilities, if exploited, could allow denial of service, information disclosure, remote code execution, or session credential high jacking. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

BACKGROUND

The Invensys Wonderware Information Server is used in many industries worldwide, including manufacturing, energy, food and beverage, chemical, and water and wastewater.

The Information Server provides industrial information content including process graphics, trends, and reports. The Invensys Wonderware Information Server Web Clients provides access to reports, analysis, or write back capabilities to processes.

VULNERABILITY OVERVIEW

CROSS-SITE SCRIPTING:  This vulnerability enables an attacker to inject client side script into web pages viewed by other users or bypass client side security mechanisms imposed by modern web browsers. This vulnerability, if exploited, could allow arbitrary code execution and may require social engineering to exploit. CVE-2012-0225 has been assigned to this vulnerability. The Invensys assessment of the compound vulnerabilities using the CVSS Version 2.0 calculator rates an Overall CVSS Score of 8.1.

SQL INJECTION:  This vulnerability can be used by an attacker to perform database operations that were unintended by the web application designer and, in some instances, can lead to total compromise of the database server. This vulnerability, if exploited, could allow arbitrary code execution. CVE-2012-0226 has been assigned to this vulnerability. The Invensys assessment of the compound vulnerabilities using the CVSS Version 2.0 calculator rates an Overall CVSS Score of 8.1.

PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS:  The security access permissions issues with client controls can lead to denial of service. CVE-2012-0228 has been assigned to this vulnerability. The Invensys assessment of the compound vulnerabilities using the CVSS Version 2.0 calculator rates an Overall CVSS Score of 8.1.

EXPLOITABILITY:  These vulnerabilities are remotely exploitable.

EXISTENCE OF EXPLOIT:  No known exploits specifically target these vulnerabilities.

DIFFICULTY:  An attacker with a low skill level can create the denial of service, whereas it would require a more skilled attacker to execute arbitrary code. This attack may require social engineering to exploit.

MITIGATION

Invensys has developed software updates to address the reported vulnerabilities. Customers of Invensys running vulnerable versions of Invensys Wonderware Information Server and Invensys Wonderware Historian Client can update their systems to the most recent software updates released by following the steps provided by Invensys.

Invensys software updates can be downloaded from the Wonderware Development Network (“Software Download” area) and the Infusion Technical Support website:

The following steps are provided by Invensys for update information:

Install the Security Update using instructions provided in the ReadMe file for the product and component being installed. In general, the user should proceed as indicated below:

1. Wonderware Information Server – Portal component: Run the “Hotfix Install Utility.”

2. Wonderware Information Server – Client component: Uninstall the client from Add/Remove Programs (ClientSetup.msi), clear the IE cache (see specific instructions in the Readme file provided with the Security Update) and access the Wonderware Information Server site.

3. If Step 2 and Step 3 are on the same node, perform the functions in Step 2 and also run the “Hotfix Install Utility.”

In addition to applying the software updates, Invensys has made additional recommendations to customers running vulnerable versions of the Invensys Wonderware Information Server and Invensys Wonderware Historian Client products.

Customers using versions of the products prior to Invensys Wonderware Information Server 5.0 and Invensys Wonderware Historian Client 10 SP3 should apply the security update to all nodes where the Portal and Client components are installed. (All browser clients of the portal are affected and should be patched).

Customers using the affected versions of Invensys Wonderware Information Server should set the security level settings in the Internet browser to “Medium – High” to minimize the risks presented by these vulnerabilities.

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICSA-12-062-01.pdf

Possibly Related Articles:
4896
SCADA
Industrial Control Systems
SQl Injection SCADA Vulnerabilities Exploits Cross Site Scripting Privilege Escalation Advisory ICS ICS-CERT Industrial Control Systems Invensys Wonderware
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.