Independent researcher Luigi Auriemma has identified and released proof of concept code (POC) for a use after free vulnerability in the MICROSYS, spol. s r.o. PROMOTIC application without coordination with ICS-CERT, the vendor, or any other known coordinating entity.
ICS-CERT has coordinated this vulnerability with MICROSYS, which has produced an update that Mr. Auriemma confirms resolves this vulnerability.
The following products are affected:
• PROMOTIC versions prior to Version 8.1.7
Successful exploitation of this vulnerability may result in adverse conditions ranging from the corruption of valid data to the execution of arbitrary code.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
PROMOTIC is a Microsoft Windows based supervisory control and data acquisition human-machine interface (SCADA HMI) software programming suite for creating applications that monitor, control, and display technological processes.
MICROSYS, spol. s r.o. is a Czech company with headquarters in Ostrava. The PROMOTIC system is primarily used in Czech and Slovak Republics. It is also used in Poland, Hungary, Slovenia, Serbia, Bulgaria, and Romania.
USE AFTER FREE: A use after free condition can occur when opening a specially crafted project file. Exploitation of this vulnerability may allow data corruption or arbitrary code execution. CVE-2011-4874 has been assigned to this vulnerability.
EXPLOITABILITY: This vulnerability is not remotely exploitable and cannot be exploited without user interaction. The exploit is only triggered when a local user runs the vulnerable application and loads the malformed project file.
EXISTENCE OF EXPLOIT: Public exploits are known to target this vulnerability.
DIFFICULTY: Crafting a working exploit for this vulnerability would be difficult. Social engineering is required to convince the user to accept the malformed project file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit.
MICROSYS spol. s r.o. recommends that customers with affected versions of PROMOTIC update their installations by downloading the latest version from MICROSYS’ website http://www.promotic.eu/en/firm/microsys.htm.
MICROSYS has produced a news release that contains additional information about these vulnerabilities: http://www.promotic.eu/en/pmdoc/News.htm#ver801057.
The full ICS-CERT advisory can be found here: