ICS-CERT: Invensys Wonderware Buffer Overflow Vulnerability

Monday, April 02, 2012

Infosec Island Admin


ICS-CERT originally released Advisory ICSA-12-081-01P on the US-CERT secure portal on March 21, 2012. This web page release was delayed to allow users time to download and install the update.

Independent researcher Celil Unuver from SignalSec Corporation has identified two buffer overflow vulnerabilities in the WWCabFile component of the Wonderware System Platform, which is used by multiple applications that run on the platform.

Invensys has produced a patch that resolves these vulnerabilities. Mr. Unuver has tested the patch and verified that it resolves the vulnerabilities.


The following Invensys products and versions are affected:

• Wonderware Application Server 2012 and all prior versions
• Foxboro Control Software Version 3.1 and all prior versions
• InFusion CE/FE/SCADA 2.5 and all prior versions
• Wonderware Information Server 4.5 and all prior versions
• ArchestrA Application Object Toolkit 3.2 and all prior versions
• InTouch 10.0 to 10.5 only (earlier versions of InTouch are not affected).

NOTE: The Wonderware Historian is part of the System Platform but is not affected by this Security Update.


Successfully exploiting these vulnerabilities will cause a buffer overflow that may allow remote code execution.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.


Wonderware System Platform, along with the Foxboro Control Software, is used for designing, building, deploying, and maintaining standardized applications for manufacturing and infrastructure operations. The Wonderware Information Server is a component of the System Platform and is used for aggregating and presenting plant production and performance data.

HEAP-BASED BUFFER OVERFLOW:  A heap-based overflow can be used to overwrite function pointers that exist in memory with pointers to the attacker’s code. Applications that do not explicitly use function pointers are still vulnerable, as unrelated run-time programs can leave operational function pointers in memory.

The heap-based buffer overflow in WWCabFile ActiveX Component can be exploited by sending a long string of data to the “Open” member of the WWCabFile component.

Common Vulnerabilities and Exposures (CVE) Identifier CVE-2012-0257 has been assigned to this vulnerability. According to Invensys, a CVSS V2 base score of 6.0 has also been assigned.

The heap-based buffer overflow can be exploited by sending a long data string to the “AddFile” member of the WWCabFile component. CVE Identifier CVE-2012-0258 has been assigned to this vulnerability. According to Invensys, a CVSS V2 base score of 6.0 has also been assigned.

EXPLOITABILITY: These vulnerabilities require user interaction to exploit, possibly by social engineering.

EXISTENCE OF EXPLOIT: No known public exploits specifically target these vulnerabilities.

DIFFICULTY: Invensys has rated these vulnerabilities as a medium concern based on exploit difficulty and the potential that social engineering may be required.core of 6.0 has also been assigned.

Invensys encourages users affected by these vulnerabilities to follow the instructions in their security bulletin, found here:

Installation of the Security Update does not require a reboot. If multiple products are installed on the same node, the customer need only install the Security Update once.
To install the update, Invensys recommends users to follow the instructions found in the ReadMe file for the product and component being installed.

In general, Invensys recommends that users:

  • Back up the Galaxy Database
  • Back up the Wonderware Information Server Database
  • Run the Security Update Utility

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICSA-12-081-01.pdf

Possibly Related Articles:
SCADA Vulnerabilities Infrastructure Buffer Overflow Advisory ICS ICS-CERT Industrial Control Systems Invensys Wonderware
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.